Lucene search

GitHub Advisory DatabaseGHSA-C6MM-2G84-V4M7

HistoryMay 05, 2023 - 11:10 p.m.

Mage-ai missing user authentication

2023-05-0523:10:44

CWE-306

GitHub Advisory Database

github.com

mage-ai

user authentication

vulnerability

patched

software

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.002

Percentile

56.3%

JSON

Impact

You may be impacted if you’re using Mage with user authentication enabled. The terminal could be accessed by users who are not signed in or do not have editor permissions.

Patches

The vulnerability has been resolved in Mage version 0.8.72.

Affected configurations

Vulners

Node

magemage-aiRange<0.8.72python

VendorProductVersionCPE
magemage-ai*cpe:2.3:a:mage:mage-ai:*:*:*:*:*:python:*:*

Vendor	Product	Version	CPE
mage	mage-ai	*	cpe:2.3:a:mage:mage-ai::::::python::*

References

github.com/advisories/GHSA-c6mm-2g84-v4m7

github.com/mage-ai/mage-ai/commit/f63cd00f6a3be372397d37a4c9a49bfaf50d7650

github.com/mage-ai/mage-ai/security/advisories/GHSA-c6mm-2g84-v4m7

github.com/pypa/advisory-database/tree/main/vulns/mage-ai/PYSEC-2023-64.yaml

nvd.nist.gov/vuln/detail/CVE-2023-31143

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.002

Percentile

56.3%

JSON

Related for GHSA-C6MM-2G84-V4M7