CVE-2023-49805

Published: Dic 11, 2023 Last Modified: Nov 21, 2024 EU-VD ID: EUVD-2023-53715 Aliases: GSD-2023-49805

ExploitDB:

Other exploit source:

Google Dorks:

MEDIUM 6,0

Source: [email protected]

Attack Vector: network

Attack Complexity: low

Privileges Required: high

User Interaction: none

Scope: unchanged

Confidentiality: high

Integrity: low

Availability: low

Description

AI Translation Available

Uptime Kuma is an easy-to-use self-hosted monitoring tool. Prior to version 1.23.9, the application uses WebSocket (with Socket.io), but it does not verify that the source of communication is valid. This allows third-party website to access the application on behalf of their client. When connecting to the server using Socket.IO, the server does not validate the `Origin` header leading to other site being able to open connections to the server and communicate with it. Other websites still need to authenticate to access most features, however this can be used to circumvent firewall protections made in place by people deploying the application.

Without origin validation, Javascript executed from another origin would be allowed to connect to the application without any user interaction. Without login credentials, such a connection is unable to access protected endpoints containing sensitive data of the application. However, such a connection may allow attacker to further exploit unseen vulnerabilities of the application. Users with 'No-auth' mode configured who are relying on a reverse proxy or firewall to provide protection to the application would be especially vulnerable as it would grant the attacker full access to the application.

In version 1.23.9, additional verification of the HTTP Origin header has been added to the socket.io connection handler. By default, if the `Origin` header is present, it would be checked against the Host header. Connection would be denied if the hostnames do not match, which would indicate that the request is cross-origin. Connection would be allowed if the `Origin` header is not present. Users can override this behavior by setting environment variable `UPTIME_KUMA_WS_ORIGIN_CHECK=bypass`.

AI Generated Translation

Uptime Kuma è uno strumento di monitoraggio self-hosted facile da usare. Prima della versione 1.23.9, l'applicazione utilizzava WebSocket (con Socket.io), ma non verificava che la fonte della comunicazione fosse valida. Ciò consente a siti di terze parti di accedere all'applicazione per conto dei loro clienti. Quando ci si connette al server utilizzando Socket.IO, il server non valida l'intestazione `Origin`, permettendo ad altri siti di aprire connessioni al server e comunicare con esso. Altri siti web devono comunque autenticarsi per accedere alla maggior parte delle funzionalità; tuttavia, questa vulnerabilità può essere sfruttata per aggirare le protezioni del firewall implementate da chi distribuisce l'applicazione.

Senza la validazione dell'origine, il JavaScript eseguito da un'altra origine potrebbe connettersi all'applicazione senza alcuna interazione da parte dell'utente. Senza credenziali di accesso, una tale connessione non può accedere agli endpoint protetti contenenti dati sensibili dell'applicazione. Tuttavia, una connessione di questo tipo potrebbe consentire a un attaccante di sfruttare ulteriori vulnerabilità non rilevate dell'applicazione. Gli utenti con modalità "No-auth" configurata, che si affidano a un reverse proxy o a un firewall per proteggere l'applicazione, sarebbero particolarmente vulnerabili, poiché questa vulnerabilità potrebbe concedere all'attaccante pieno accesso all'applicazione.

Nella versione 1.23.9, è stata aggiunta una verifica supplementare dell'intestazione HTTP Origin nel gestore delle connessioni socket.io. Per impostazione predefinita, se l'intestazione `Origin` è presente, verrà confrontata con l'intestazione Host. La connessione verrà negata se i nomi host non corrispondono, il che indicherebbe che la richiesta è cross-origin. La connessione sarà consentita se l'intestazione `Origin` non è presente. Gli utenti possono sovrascrivere questo comportamento impostando la variabile d'ambiente `UPTIME_KUMA_WS_ORIGIN_CHECK=bypass`.

EPSS (Exploit Prediction Scoring System)

Trend Analysis

EPSS (Exploit Prediction Scoring System)

Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.

EPSS Score

0,0001

Percentile

0,0th

Updated

EPSS Score Trend (Last 90 Days)

346

Origin Validation Error

Draft

Abstraction: Class Structure: Simple

Common Consequences

Security Scopes Affected:

Other Access Control

Potential Impacts:

Gain Privileges Or Assume Identity Varies By Context

Applicable Platforms

Technologies: Not Technology-Specific, Web Based

View CWE Details

1385

Missing Origin Validation in WebSockets

Incomplete

Abstraction: Variant Structure: Simple

Common Consequences

Security Scopes Affected:

Confidentiality Integrity Availability Non-Repudiation Access Control

Potential Impacts:

Varies By Context Gain Privileges Or Assume Identity Bypass Protection Mechanism Read Application Data Modify Application Data Dos: Crash, Exit, Or Restart

Applicable Platforms

Technologies: Web Based, Web Server

View CWE Details

Application

Uptime Kuma by Uptime.Kuma

Product Information

Vendor Uptime.Kuma

Product Uptime Kuma

Version Range Affected

To 1.23.9 (exclusive)

CPE Identifier

View Detailed Analysis


                  cpe:2.3:a:uptime.kuma:uptime_kuma:*:*:*:*:*:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

Application

Dockge by Dockge.Kuma

Product Information

Vendor Dockge.Kuma

Product Dockge

Version Range Affected

To 1.3.3 (exclusive)

CPE Identifier

View Detailed Analysis


                  cpe:2.3:a:dockge.kuma:dockge:*:*:*:*:*:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

https://github.com/louislam/uptime-kuma/commit/2815cc73cfd9…

Patch

https://github.com/louislam/uptime-kuma/commit/2815cc73cfd9d8ced889e00e72899708…

https://github.com/louislam/uptime-kuma/security/advisories…

Exploit Vendor Advisory

https://github.com/louislam/uptime-kuma/security/advisories/GHSA-mj22-23ff-2hrr

https://github.com/louislam/uptime-kuma/commit/2815cc73cfd9…

Patch

https://github.com/louislam/uptime-kuma/commit/2815cc73cfd9d8ced889e00e72899708…

https://github.com/louislam/uptime-kuma/security/advisories…

Exploit Vendor Advisory

https://github.com/louislam/uptime-kuma/security/advisories/GHSA-mj22-23ff-2hrr

CVE-2023-49805

Description

EPSS (Exploit Prediction Scoring System)

EPSS (Exploit Prediction Scoring System)

EPSS Score Trend (Last 90 Days)

Origin Validation Error

Common Consequences

Applicable Platforms

Missing Origin Validation in WebSockets

Common Consequences

Applicable Platforms

Uptime Kuma by Uptime.Kuma

Product Information

Dockge by Dockge.Kuma

Product Information

Iscriviti alla newsletter