Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/vulndb: potential Go vuln in github.com/louislam/uptime-kuma: CVE-2023-49805 #2396

Closed
GoVulnBot opened this issue Dec 12, 2023 · 1 comment
Assignees
Labels
excluded: NOT_GO_CODE This vulnerability does not refer to a Go module.

Comments

@GoVulnBot
Copy link

CVE-2023-49805 references github.com/louislam/uptime-kuma, which may be a Go module.

Description:
Uptime Kuma is an easy-to-use self-hosted monitoring tool. Prior to version 1.23.9, the application uses WebSocket (with Socket.io), but it does not verify that the source of communication is valid. This allows third-party website to access the application on behalf of their client. When connecting to the server using Socket.IO, the server does not validate the Origin header leading to other site being able to open connections to the server and communicate with it. Other websites still need to authenticate to access most features, however this can be used to circumvent firewall protections made in place by people deploying the application.

Without origin validation, Javascript executed from another origin would be allowed to connect to the application without any user interaction. Without login credentials, such a connection is unable to access protected endpoints containing sensitive data of the application. However, such a connection may allow attacker to further exploit unseen vulnerabilities of the application. Users with "No-auth" mode configured who are relying on a reverse proxy or firewall to provide protection to the application would be especially vulnerable as it would grant the attacker full access to the application.

In version 1.23.9, additional verification of the HTTP Origin header has been added to the socket.io connection handler. By default, if the Origin header is present, it would be checked against the Host header. Connection would be denied if the hostnames do not match, which would indicate that the request is cross-origin. Connection would be allowed if the Origin header is not present. Users can override this behavior by setting environment variable UPTIME_KUMA_WS_ORIGIN_CHECK=bypass.

References:

Cross references:

See doc/triage.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/louislam/uptime-kuma
      vulnerable_at: 0.0.0-20231211112620-99adac3eb9e9
      packages:
        - package: uptime-kuma
cves:
    - CVE-2023-49805
references:
    - advisory: https://github.com/louislam/uptime-kuma/security/advisories/GHSA-mj22-23ff-2hrr
    - fix: https://github.com/louislam/uptime-kuma/commit/2815cc73cfd9d8ced889e00e72899708220d184f

@timothy-king timothy-king self-assigned this Dec 14, 2023
@timothy-king timothy-king added the excluded: NOT_GO_CODE This vulnerability does not refer to a Go module. label Dec 14, 2023
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/549835 mentions this issue: data/excluded: batch add 9 excluded reports

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
excluded: NOT_GO_CODE This vulnerability does not refer to a Go module.
Projects
None yet
Development

No branches or pull requests

3 participants