FKIE_CVE-2023-50710

Vulnerability from fkie_nvd - Published: 2023-12-14 18:15 - Updated: 2024-11-21 08:37
Severity ?
4.2 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Summary
Hono is a web framework written in TypeScript. Prior to version 3.11.7, clients may override named path parameter values from previous requests if the application is using TrieRouter. So, there is a risk that a privileged user may use unintended parameters when deleting REST API resources. TrieRouter is used either explicitly or when the application matches a pattern that is not supported by the default RegExpRouter. Version 3.11.7 includes the change to fix this issue. As a workaround, avoid using TrieRouter directly.
References
security-advisories@github.comhttps://github.com/honojs/hono/commit/8e2b6b08518998783f66d31db4f21b1b1eecc4c8Patch
security-advisories@github.comhttps://github.com/honojs/hono/releases/tag/v3.11.7Release Notes
security-advisories@github.comhttps://github.com/honojs/hono/security/advisories/GHSA-f6gv-hh8j-q8vqExploit, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/honojs/hono/commit/8e2b6b08518998783f66d31db4f21b1b1eecc4c8Patch
af854a3a-2127-422b-91ae-364da2661108https://github.com/honojs/hono/releases/tag/v3.11.7Release Notes
af854a3a-2127-422b-91ae-364da2661108https://github.com/honojs/hono/security/advisories/GHSA-f6gv-hh8j-q8vqExploit, Vendor Advisory
Impacted products
Vendor Product Version
hono hono *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:hono:hono:*:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "74A7A157-DE4D-4445-9670-2EBF795FAB11",
              "versionEndExcluding": "3.11.7",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Hono is a web framework written in TypeScript. Prior to version 3.11.7, clients may override named path parameter values from previous requests if the application is using TrieRouter. So, there is a risk that a privileged user may use unintended parameters when deleting REST API resources. TrieRouter is used either explicitly or when the application matches a pattern that is not supported by the default RegExpRouter. Version 3.11.7 includes the change to fix this issue. As a workaround, avoid using TrieRouter directly."
    },
    {
      "lang": "es",
      "value": "Hono es un framework web escrito en TypeScript. Antes de la versi\u00f3n 3.11.7, los clientes pueden anular los valores de los par\u00e1metros de ruta con nombre de solicitudes anteriores si la aplicaci\u00f3n utiliza TrieRouter. Por lo tanto, existe el riesgo de que un usuario privilegiado utilice par\u00e1metros no deseados al eliminar recursos de la API REST. TrieRouter se usa expl\u00edcitamente o cuando la aplicaci\u00f3n coincide con un patr\u00f3n que no es compatible con el RegExpRouter predeterminado. La versi\u00f3n 3.11.7 incluye el cambio para solucionar este problema. Como workaround, evite utilizar TrieRouter directamente."
    }
  ],
  "id": "CVE-2023-50710",
  "lastModified": "2024-11-21T08:37:11.103",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 4.2,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 1.6,
        "impactScore": 2.5,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 1.4,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2023-12-14T18:15:45.270",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/honojs/hono/commit/8e2b6b08518998783f66d31db4f21b1b1eecc4c8"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/honojs/hono/releases/tag/v3.11.7"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/honojs/hono/security/advisories/GHSA-f6gv-hh8j-q8vq"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/honojs/hono/commit/8e2b6b08518998783f66d31db4f21b1b1eecc4c8"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/honojs/hono/releases/tag/v3.11.7"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/honojs/hono/security/advisories/GHSA-f6gv-hh8j-q8vq"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-94"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.