CVE-2023-26114 - OpenCVE

Versions of the package code-server before 4.10.1 are vulnerable to Missing Origin Validation in WebSockets handshakes. Exploiting this vulnerability can allow an adversary in specific scenarios to access data from and connect to the code-server instance.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Coder	Code-server

Configuration 1 [-]

cpe:2.3:a:coder:code-server:*:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/coder/code-server/commit/d477972c68fc8c8e8d610aa7287db87ba90e55c7	Patch
https://github.com/coder/code-server/releases/tag/v4.10.1	Release Notes
https://security.snyk.io/vuln/SNYK-JS-CODESERVER-3368148	Patch

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: snyk

Published: 2023-03-23T05:00:01.220Z

Updated: 2023-03-23T05:00:01.220Z

Reserved: 2023-02-20T10:28:48.922Z

Link: CVE-2023-26114

JSON object: View

NVD Information

Status : Modified

Published: 2023-03-23T05:15:16.927

Modified: 2023-11-07T04:09:22.310

Link: CVE-2023-26114

JSON object: View

Redhat Information

No data.

CWE

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:coder:code-server:*:*:*:*:*:*:*:*", "matchCriteriaId": "E36A6CC6-DD16-4EC8-8E13-C8A4C2836284", "versionEndExcluding": "4.10.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Versions of the package code-server before 4.10.1 are vulnerable to Missing Origin Validation in WebSockets handshakes. Exploiting this vulnerability can allow an adversary in specific scenarios to access data from and connect to the code-server instance."}], "id": "CVE-2023-26114", "lastModified": "2023-11-07T04:09:22.310", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.8, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 6.0, "source": "report@snyk.io", "type": "Secondary"}]}, "published": "2023-03-23T05:15:16.927", "references": [{"source": "report@snyk.io", "tags": ["Patch"], "url": "https://github.com/coder/code-server/commit/d477972c68fc8c8e8d610aa7287db87ba90e55c7"}, {"source": "report@snyk.io", "tags": ["Release Notes"], "url": "https://github.com/coder/code-server/releases/tag/v4.10.1"}, {"source": "report@snyk.io", "tags": ["Patch"], "url": "https://security.snyk.io/vuln/SNYK-JS-CODESERVER-3368148"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-346"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-1385"}], "source": "report@snyk.io", "type": "Secondary"}]}