Lucene search

Veracode Vulnerability DatabaseVERACODE:45266

HistoryFeb 01, 2024 - 9:20 a.m.

Authentication Bypass

2024-02-0109:20:35

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

vulnerability

missing authentication checks

application

password-protected

access_code

attacker access

plugins

authorization

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

7 High

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

17.1%

JSON

Lobe Chat is vulnerable to Authentication Bypass. The vulnerability is caused due to missing authentication checks within route.ts when the application is password-protected (deployed with the ACCESS_CODE option). This allows an attacker to access plugins without proper authorization.

CPENameOperatorVersion
@lobehub/chatle0.122.3
@lobehub/chatle0.122.3

CPE	Name	Operator	Version
	@lobehub/chat	le	0.122.3
	@lobehub/chat	le	0.122.3

References

github.com/advisories/GHSA-pf55-fj96-xf37

github.com/lobehub/lobe-chat/commit/2184167f09ab68e4efa051ee984ea0c4e7c48fbd

github.com/lobehub/lobe-chat/security/advisories/GHSA-pf55-fj96-xf37

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

7 High

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

17.1%

JSON

Related for VERACODE:45266