Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
osvGoogleOSV:GHSA-7RQ6-7GV8-C37H
HistoryNov 03, 2021 - 5:30 p.m.

Missing Authorization with Default Settings in Dashboard UI

2021-11-0317:30:59
Google
osv.dev
7
hangfire
dashboard ui
authorization filters
remote requests
patches
workarounds.

EPSS

0.001

Percentile

49.4%

JSON

Dashboard UI in Hangfire.Core uses authorization filters to protect it from showing sensitive data to unauthorized users. By default when no custom authorization filters specified, LocalRequestsOnlyAuthorizationFilter filter is being used to allow only local requests and prohibit all the remote requests to provide sensible, protected by default settings.

However due to the recent changes, in version 1.7.25 no authorization filters are used by default, allowing remote requests to succeed.

Impact

Missing authorization when default options are used for the Dashboard UI, e.g. when no custom authorization rules are used as recommended in the Using Dashboard documentation article.

Impacted

If you are using UseHangfireDashboard method with default DashboardOptions.Authorization property value, then your installation is impacted:

app.UseHangfireDashboard(); // Impacted
app.UseHangfireDashboard("/hangfire", new DashboardOptions()); // Impacted

Not Impacted

If any other authorization filter is specified in the DashboardOptions.Authorization property, the you are not impacted:

app.UseHangfireDashboard("/hangfire", new DashboardOptions
{
    Authorization = new []{ new SomeAuthorizationFilter(); } // Not impacted
});

Patches

Patch is already available in version 1.7.26 and already available on NuGet.org, please see Hangfire.Core 1.7.26. Default authorization rules now prohibit remote requests by default again by including the LocalRequestsOnlyAuthorizationFilter filter to the default settings. Please upgrade to the newest version in order to mitigate the issue.

Workarounds

It is possible to fix the issue by using the LocalRequestsOnlyAuthorizationFilter explicitly when configuring the Dashboard UI. In this case upgrade is not required.

// using Hangfire.Dashboard;

app.UseHangfireDashboard("/hangfire", new DashboardOptions
{
    Authorization = new []{ new LocalRequestsOnlyAuthorizationFilter(); }
});

References

Original GitHub Issue: https://github.com/HangfireIO/Hangfire/issues/1958

Related

cve 1
osv 1
prion 1
cvelist 1
github 1
nvd 1
veracode 1
cve
cve
CVE-2021-41238
2021-11-02 18:15:08
osv
osv
CVE-2021-41238
2021-11-02 18:15:08
prion
prion
Authorization
2021-11-02 18:15:00
cvelist
cvelist
CVE-2021-41238 Missing Authorization with Default Settings in Dashboard UI
2021-11-02 18:05:11
github
github
Missing Authorization with Default Settings in Dashboard UI
2021-11-03 17:30:59
nvd
nvd
CVE-2021-41238
2021-11-02 18:15:08
veracode
veracode
Authorization Bypass
2021-11-05 06:16:17

EPSS

0.001

Percentile

49.4%

JSON
Related for OSV:GHSA-7RQ6-7GV8-C37H
cve1osv1prion1cvelist1github1nvd1veracode1