Lucene search

GitHub Advisory DatabaseGHSA-4946-85PR-FVXH

HistoryMar 15, 2024 - 4:42 p.m.

vantage6's CORS settings overly permissive

2024-03-1516:42:55

CWE-863

CWE-942

GitHub Advisory Database

github.com

vantage6

cors settings

permissive

server

impact

limited

session cookies

patches

workarounds

software

4.2 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

7 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON

Impact

The vantage6 server has no restrictions on CORS settings. It should be possible for people to set the allowed origins of the server.

The impact is limited because v6 does not use session cookies

Patches

Workarounds

Affected configurations

Vulners

Node

vantage6vantage6Range≤4.2.2

CPENameOperatorVersion
vantage6le4.2.2

CPE	Name	Operator	Version
	vantage6	le	4.2.2

References

github.com/advisories/GHSA-4946-85pr-fvxh

github.com/vantage6/vantage6/commit/70bb4e1d889230a841eb364d6c03accd7dd01a41

github.com/vantage6/vantage6/security/advisories/GHSA-4946-85pr-fvxh

nvd.nist.gov/vuln/detail/CVE-2024-23823

4.2 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

7 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON

Related for GHSA-4946-85PR-FVXH