Lucene search

SnykCVELIST:CVE-2023-26114

HistoryMar 23, 2023 - 5:00 a.m.

CVE-2023-26114

2023-03-2305:00:01

snyk

www.cve.org

cve-2023-26114

missing origin validation

websockets

adversary

data access

8.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:L/E:P

9.5 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

47.7%

JSON

Versions of the package code-server before 4.10.1 are vulnerable to Missing Origin Validation in WebSockets handshakes. Exploiting this vulnerability can allow an adversary in specific scenarios to access data from and connect to the code-server instance.

CNA Affected

[
  {
    "product": "code-server",
    "versions": [
      {
        "version": "0",
        "lessThan": "4.10.1",
        "status": "affected",
        "versionType": "semver"
      }
    ],
    "vendor": "n/a"
  }
]

References

github.com/coder/code-server/commit/d477972c68fc8c8e8d610aa7287db87ba90e55c7

github.com/coder/code-server/releases/tag/v4.10.1

security.snyk.io/vuln/SNYK-JS-CODESERVER-3368148

8.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:L/E:P

9.5 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

47.7%

JSON

Related for CVELIST:CVE-2023-26114