CVE-2023-26114

Versions of the package code-server before 4.10.1 are vulnerable to Missing Origin Validation in WebSockets handshakes. Exploiting this vulnerability can allow an adversary in specific scenarios to access data from and connect to the code-server instance.

CVSS v3 8.2 HIGH

8.2^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.6 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact LOW

Scope CHANGED

References

Link	Resource
https://github.com/coder/code-server/commit/d477972c68fc8c8e8d610aa7287db87ba90e55c7	Patch
https://github.com/coder/code-server/releases/tag/v4.10.1	Release Notes
https://security.snyk.io/vuln/SNYK-JS-CODESERVER-3368148	Patch
https://github.com/coder/code-server/commit/d477972c68fc8c8e8d610aa7287db87ba90e55c7	Patch
https://github.com/coder/code-server/releases/tag/v4.10.1	Release Notes
https://security.snyk.io/vuln/SNYK-JS-CODESERVER-3368148	Patch

Configurations

Configuration 1 (hide)

cpe:2.3:a:coder:code-server:*:*:*:*:*:*:*:*

History

21 Nov 2024, 07:50

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~9.3~~	v2 : unknown v3 : 8.2
References	~~() https://github.com/coder/code-server/commit/d477972c68fc8c8e8d610aa7287db87ba90e55c7 - Patch~~	() https://github.com/coder/code-server/commit/d477972c68fc8c8e8d610aa7287db87ba90e55c7 - Patch
References	~~() https://github.com/coder/code-server/releases/tag/v4.10.1 - Release Notes~~	() https://github.com/coder/code-server/releases/tag/v4.10.1 - Release Notes
References	~~() https://security.snyk.io/vuln/SNYK-JS-CODESERVER-3368148 - Patch~~	() https://security.snyk.io/vuln/SNYK-JS-CODESERVER-3368148 - Patch

Information

Published : 2023-03-23 05:15

Updated : 2024-11-21 07:50

NVD link : CVE-2023-26114

Mitre link : CVE-2023-26114

CVE.ORG link : CVE-2023-26114

JSON object : View

Products Affected

coder

code-server

CWE

CWE-1385

Missing Origin Validation in WebSockets

CWE-346

Origin Validation Error

{"id": "CVE-2023-26114", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "report@snyk.io", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 1.6}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.3, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.8, "exploitabilityScore": 2.8}]}, "published": "2023-03-23T05:15:16.927", "references": [{"url": "https://github.com/coder/code-server/commit/d477972c68fc8c8e8d610aa7287db87ba90e55c7", "tags": ["Patch"], "source": "report@snyk.io"}, {"url": "https://github.com/coder/code-server/releases/tag/v4.10.1", "tags": ["Release Notes"], "source": "report@snyk.io"}, {"url": "https://security.snyk.io/vuln/SNYK-JS-CODESERVER-3368148", "tags": ["Patch"], "source": "report@snyk.io"}, {"url": "https://github.com/coder/code-server/commit/d477972c68fc8c8e8d610aa7287db87ba90e55c7", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/coder/code-server/releases/tag/v4.10.1", "tags": ["Release Notes"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://security.snyk.io/vuln/SNYK-JS-CODESERVER-3368148", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "report@snyk.io", "description": [{"lang": "en", "value": "CWE-1385"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-346"}]}], "descriptions": [{"lang": "en", "value": "Versions of the package code-server before 4.10.1 are vulnerable to Missing Origin Validation in WebSockets handshakes. Exploiting this vulnerability can allow an adversary in specific scenarios to access data from and connect to the code-server instance."}], "lastModified": "2024-11-21T07:50:48.217", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:coder:code-server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E36A6CC6-DD16-4EC8-8E13-C8A4C2836284", "versionEndExcluding": "4.10.1"}], "operator": "OR"}]}], "sourceIdentifier": "report@snyk.io"}