CSRF vulnerability and Collins version 2.2.0

[Felix Aronsson]

Hello all,

The security team at Tumblr recently found a CSRF vulnerability in Collins that could let an attacker modify or create assets by getting an authenticated user to visit an external page and guessing or bruteforcing the asset tags. Depending on what kind of automation that relies on data from Collins is in place, this could lead to some bad consequences.

We just released Collins version 2.2.0 that implements CSRF protection that should mitigate the issue, along with a couple of features (GPU and NVMe support, for instance) and bug fixes. The release is available from the release page (https://github.com/tumblr/collins/releases/tag/v2.2.0) and a new version of the docker image has been pushed to the public registry and tagged "tumblr/collins:v2.2.0".

While we highly recommend updating, if you can't update collins itself straight away the problem can be mitigated by using Origin or Referer header checks in a reverse proxy in front of Collins. The latter could look something like this using nginx:

location /api {

  try_files $uri @collins;

}

location / {

  valid_referers collins.example.com/;

  if ($invalid_referer) {

    return 403;

  }

  try_files $uri @collins;

}

Where @collins is a location block reverse proxying to a Collins instance.

Thank you!