Lucene search

GoogleOSV:GHSA-4946-85PR-FVXH

HistoryMar 15, 2024 - 4:42 p.m.

vantage6's CORS settings overly permissive

2024-03-1516:42:55

Google

osv.dev

vantage6

server

cors

settings

permissive

limited impact

session cookies

4.2 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

7 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.0%

JSON

Impact

The vantage6 server has no restrictions on CORS settings. It should be possible for people to set the allowed origins of the server.

The impact is limited because v6 does not use session cookies

Patches

Workarounds

CPENameOperatorVersion
vantage6eq1.0.0b12
vantage6eq2.2.6
vantage6eq3.10.1
vantage6eq3.3.1
vantage6eq3.4.2
vantage6eq3.10.0
vantage6eq3.5.0
vantage6eq4.0.0a5
vantage6eq2.3.0rc2
vantage6eq3.2.0rc4

Name	Operator	Version
vantage6	eq	1.0.0b12
vantage6	eq	2.2.6
vantage6	eq	3.10.1
vantage6	eq	3.3.1
vantage6	eq	3.4.2
vantage6	eq	3.10.0
vantage6	eq	3.5.0
vantage6	eq	4.0.0a5
vantage6	eq	2.3.0rc2
vantage6	eq	3.2.0rc4

Rows per page:

1-10 of 2101

References

github.com/vantage6/vantage6

github.com/vantage6/vantage6/commit/70bb4e1d889230a841eb364d6c03accd7dd01a41

github.com/vantage6/vantage6/security/advisories/GHSA-4946-85pr-fvxh

nvd.nist.gov/vuln/detail/CVE-2024-23823

4.2 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

7 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.0%

JSON

Related for OSV:GHSA-4946-85PR-FVXH