CVE-2023-26114

2023-03-2305:15:16

CWE-1385

CWE-346

[email protected]

web.nvd.nist.gov

code-server

vulnerability

websockets

cve-2023-26114

security

9.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

9.2 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

47.7%

JSON

Versions of the package code-server before 4.10.1 are vulnerable to Missing Origin Validation in WebSockets handshakes. Exploiting this vulnerability can allow an adversary in specific scenarios to access data from and connect to the code-server instance.

Affected configurations

NVD

Node

codercode-serverRange<4.10.1

CPENameOperatorVersion
coder:code-servercoder code-serverlt4.10.1

CPE	Name	Operator	Version
coder:code-server	coder code-server	lt	4.10.1

CNA Affected

[
  {
    "product": "code-server",
    "versions": [
      {
        "version": "0",
        "lessThan": "4.10.1",
        "status": "affected",
        "versionType": "semver"
      }
    ],
    "vendor": "n/a"
  }
]