gsd-2023-49805
Vulnerability from gsd
Modified
2023-12-13 01:20
Details
Uptime Kuma is an easy-to-use self-hosted monitoring tool. Prior to version 1.23.9, the application uses WebSocket (with Socket.io), but it does not verify that the source of communication is valid. This allows third-party website to access the application on behalf of their client. When connecting to the server using Socket.IO, the server does not validate the `Origin` header leading to other site being able to open connections to the server and communicate with it. Other websites still need to authenticate to access most features, however this can be used to circumvent firewall protections made in place by people deploying the application.
Without origin validation, Javascript executed from another origin would be allowed to connect to the application without any user interaction. Without login credentials, such a connection is unable to access protected endpoints containing sensitive data of the application. However, such a connection may allow attacker to further exploit unseen vulnerabilities of the application. Users with "No-auth" mode configured who are relying on a reverse proxy or firewall to provide protection to the application would be especially vulnerable as it would grant the attacker full access to the application.
In version 1.23.9, additional verification of the HTTP Origin header has been added to the socket.io connection handler. By default, if the `Origin` header is present, it would be checked against the Host header. Connection would be denied if the hostnames do not match, which would indicate that the request is cross-origin. Connection would be allowed if the `Origin` header is not present. Users can override this behavior by setting environment variable `UPTIME_KUMA_WS_ORIGIN_CHECK=bypass`.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2023-49805",
"id": "GSD-2023-49805"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2023-49805"
],
"details": "Uptime Kuma is an easy-to-use self-hosted monitoring tool. Prior to version 1.23.9, the application uses WebSocket (with Socket.io), but it does not verify that the source of communication is valid. This allows third-party website to access the application on behalf of their client. When connecting to the server using Socket.IO, the server does not validate the `Origin` header leading to other site being able to open connections to the server and communicate with it. Other websites still need to authenticate to access most features, however this can be used to circumvent firewall protections made in place by people deploying the application.\n\nWithout origin validation, Javascript executed from another origin would be allowed to connect to the application without any user interaction. Without login credentials, such a connection is unable to access protected endpoints containing sensitive data of the application. However, such a connection may allow attacker to further exploit unseen vulnerabilities of the application. Users with \"No-auth\" mode configured who are relying on a reverse proxy or firewall to provide protection to the application would be especially vulnerable as it would grant the attacker full access to the application.\n\nIn version 1.23.9, additional verification of the HTTP Origin header has been added to the socket.io connection handler. By default, if the `Origin` header is present, it would be checked against the Host header. Connection would be denied if the hostnames do not match, which would indicate that the request is cross-origin. Connection would be allowed if the `Origin` header is not present. Users can override this behavior by setting environment variable `UPTIME_KUMA_WS_ORIGIN_CHECK=bypass`.",
"id": "GSD-2023-49805",
"modified": "2023-12-13T01:20:34.865599Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2023-49805",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "uptime-kuma",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "\u003c 1.23.9"
}
]
}
}
]
},
"vendor_name": "louislam"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Uptime Kuma is an easy-to-use self-hosted monitoring tool. Prior to version 1.23.9, the application uses WebSocket (with Socket.io), but it does not verify that the source of communication is valid. This allows third-party website to access the application on behalf of their client. When connecting to the server using Socket.IO, the server does not validate the `Origin` header leading to other site being able to open connections to the server and communicate with it. Other websites still need to authenticate to access most features, however this can be used to circumvent firewall protections made in place by people deploying the application.\n\nWithout origin validation, Javascript executed from another origin would be allowed to connect to the application without any user interaction. Without login credentials, such a connection is unable to access protected endpoints containing sensitive data of the application. However, such a connection may allow attacker to further exploit unseen vulnerabilities of the application. Users with \"No-auth\" mode configured who are relying on a reverse proxy or firewall to provide protection to the application would be especially vulnerable as it would grant the attacker full access to the application.\n\nIn version 1.23.9, additional verification of the HTTP Origin header has been added to the socket.io connection handler. By default, if the `Origin` header is present, it would be checked against the Host header. Connection would be denied if the hostnames do not match, which would indicate that the request is cross-origin. Connection would be allowed if the `Origin` header is not present. Users can override this behavior by setting environment variable `UPTIME_KUMA_WS_ORIGIN_CHECK=bypass`."
}
]
},
"impact": {
"cvss": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"cweId": "CWE-1385",
"lang": "eng",
"value": "CWE-1385: Missing Origin Validation in WebSockets"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/louislam/uptime-kuma/security/advisories/GHSA-mj22-23ff-2hrr",
"refsource": "MISC",
"url": "https://github.com/louislam/uptime-kuma/security/advisories/GHSA-mj22-23ff-2hrr"
},
{
"name": "https://github.com/louislam/uptime-kuma/commit/2815cc73cfd9d8ced889e00e72899708220d184f",
"refsource": "MISC",
"url": "https://github.com/louislam/uptime-kuma/commit/2815cc73cfd9d8ced889e00e72899708220d184f"
}
]
},
"source": {
"advisory": "GHSA-mj22-23ff-2hrr",
"discovery": "UNKNOWN"
}
},
"nvd.nist.gov": {
"cve": {
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dockge.kuma:dockge:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9AD32927-6407-4711-8521-81C662CD7041",
"versionEndExcluding": "1.3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:uptime.kuma:uptime_kuma:*:*:*:*:*:*:*:*",
"matchCriteriaId": "04F74E4F-6339-4155-BE6A-B10151B8E18D",
"versionEndExcluding": "1.23.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Uptime Kuma is an easy-to-use self-hosted monitoring tool. Prior to version 1.23.9, the application uses WebSocket (with Socket.io), but it does not verify that the source of communication is valid. This allows third-party website to access the application on behalf of their client. When connecting to the server using Socket.IO, the server does not validate the `Origin` header leading to other site being able to open connections to the server and communicate with it. Other websites still need to authenticate to access most features, however this can be used to circumvent firewall protections made in place by people deploying the application.\n\nWithout origin validation, Javascript executed from another origin would be allowed to connect to the application without any user interaction. Without login credentials, such a connection is unable to access protected endpoints containing sensitive data of the application. However, such a connection may allow attacker to further exploit unseen vulnerabilities of the application. Users with \"No-auth\" mode configured who are relying on a reverse proxy or firewall to provide protection to the application would be especially vulnerable as it would grant the attacker full access to the application.\n\nIn version 1.23.9, additional verification of the HTTP Origin header has been added to the socket.io connection handler. By default, if the `Origin` header is present, it would be checked against the Host header. Connection would be denied if the hostnames do not match, which would indicate that the request is cross-origin. Connection would be allowed if the `Origin` header is not present. Users can override this behavior by setting environment variable `UPTIME_KUMA_WS_ORIGIN_CHECK=bypass`."
},
{
"lang": "es",
"value": "Uptime Kuma es una herramienta de monitorizaci\u00f3n autohospedada y f\u00e1cil de usar. Antes de la versi\u00f3n 1.23.9, la aplicaci\u00f3n utiliza WebSocket (con Socket.io), pero no verifica que la fuente de comunicaci\u00f3n sea v\u00e1lida. Esto permite que el sitio web de terceros acceda a la aplicaci\u00f3n en nombre de su cliente. Al conectarse al servidor usando Socket.IO, el servidor no valida el encabezado \"Origin\", lo que hace que otro sitio pueda abrir conexiones al servidor y comunicarse con \u00e9l. Otros sitios web a\u00fan necesitan autenticarse para acceder a la mayor\u00eda de las funciones; sin embargo, esto se puede usar para eludir las protecciones de firewall implementadas por las personas que implementan la aplicaci\u00f3n. Sin la validaci\u00f3n del origen, el Javascript ejecutado desde otro origen podr\u00eda conectarse a la aplicaci\u00f3n sin ninguna interacci\u00f3n del usuario. Sin credenciales de inicio de sesi\u00f3n, dicha conexi\u00f3n no puede acceder a endpoints protegidos que contengan datos confidenciales de la aplicaci\u00f3n. Sin embargo, dicha conexi\u00f3n puede permitir al atacante explotar a\u00fan m\u00e1s vulnerabilidades invisibles de la aplicaci\u00f3n. Los usuarios con el modo \"Sin autenticaci\u00f3n\" configurado que dependen de un proxy inverso o un firewall para brindar protecci\u00f3n a la aplicaci\u00f3n ser\u00edan especialmente vulnerables ya que otorgar\u00edan al atacante acceso completo a la aplicaci\u00f3n. En la versi\u00f3n 1.23.9, se agreg\u00f3 verificaci\u00f3n adicional del encabezado de origen HTTP al controlador de conexi\u00f3n socket.io. De forma predeterminada, si el encabezado \"Origin\" est\u00e1 presente, se comparar\u00e1 con el encabezado Host. Se denegar\u00eda la conexi\u00f3n si los nombres de host no coinciden, lo que indicar\u00eda que la solicitud es de origen cruzado. Se permitir\u00e1 la conexi\u00f3n si el encabezado \"Origin\" no est\u00e1 presente. Los usuarios pueden anular este comportamiento configurando la variable de entorno `UPTIME_KUMA_WS_ORIGIN_CHECK=bypass`."
}
],
"id": "CVE-2023-49805",
"lastModified": "2023-12-14T19:48:34.987",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.0,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 4.7,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2023-12-11T23:15:08.057",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/louislam/uptime-kuma/commit/2815cc73cfd9d8ced889e00e72899708220d184f"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/louislam/uptime-kuma/security/advisories/GHSA-mj22-23ff-2hrr"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-346"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-1385"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.