CVE-2023-43644

2023-09-2520:15:11

CWE-306

[email protected]

web.nvd.nist.gov

sing-box

open source

proxy system

authentication bypass

cve-2023-43644

socks5

inbound

user authentication

update

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.4 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

39.1%

JSON

Sing-box is an open source proxy system. Affected versions are subject to an authentication bypass when specially crafted requests are sent to sing-box. This affects all SOCKS5 inbounds with user authentication and an attacker may be able to bypass authentication. Users are advised to update to sing-box 1.4.4 or to 1.5.0-rc.4. Users unable to update should not expose the SOCKS5 inbound to insecure environments.

Affected configurations

Vulners

NVD

Node

sagernetsing-boxRange<1.4.5

sagernetsing-boxRange1.5.0-beta.1–1.5.0-rc.4

VendorProductVersionCPE
sagernetsing\-box*cpe:2.3:a:sagernet:sing\-box:*:*:*:*:*:*:*:*
sagernetsing\-box*cpe:2.3:a:sagernet:sing\-box:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
sagernet	sing\-box	*	cpe:2.3:a:sagernet:sing\-box::::::::
sagernet	sing\-box	*	cpe:2.3:a:sagernet:sing\-box::::::::

CNA Affected

[
  {
    "vendor": "SagerNet",
    "product": "sing-box",
    "versions": [
      {
        "version": "< 1.4.5",
        "status": "affected"
      },
      {
        "version": ">= 1.5.0-beta.1, < 1.5.0-rc.4",
        "status": "affected"
      }
    ]
  }
]