CVE-2023-26114

Versions of the package code-server before 4.10.1 are vulnerable to Missing Origin Validation in WebSockets handshakes. Exploiting this vulnerability can allow an adversary in specific scenarios to access data from and connect to the code-server instance.

CVSS v3 9.3 CRITICAL

9.3^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 2.8 / Impact : 5.8

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/coder/code-server/commit/d477972c68fc8c8e8d610aa7287db87ba90e55c7	Patch
https://github.com/coder/code-server/releases/tag/v4.10.1	Release Notes
https://security.snyk.io/vuln/SNYK-JS-CODESERVER-3368148	Patch

Configurations

Configuration 1 (hide)

cpe:2.3:a:coder:code-server:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2023-03-23 05:15

Updated : 2023-11-07 04:09

NVD link : CVE-2023-26114

Mitre link : CVE-2023-26114

CVE.ORG link : CVE-2023-26114

JSON object : View

Products Affected

coder

code-server

CWE

CWE-346

Origin Validation Error

CWE-1385

Missing Origin Validation in WebSockets

{"id": "CVE-2023-26114", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.3, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.8, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "report@snyk.io", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 1.6}]}, "published": "2023-03-23T05:15:16.927", "references": [{"url": "https://github.com/coder/code-server/commit/d477972c68fc8c8e8d610aa7287db87ba90e55c7", "tags": ["Patch"], "source": "report@snyk.io"}, {"url": "https://github.com/coder/code-server/releases/tag/v4.10.1", "tags": ["Release Notes"], "source": "report@snyk.io"}, {"url": "https://security.snyk.io/vuln/SNYK-JS-CODESERVER-3368148", "tags": ["Patch"], "source": "report@snyk.io"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-346"}]}, {"type": "Secondary", "source": "report@snyk.io", "description": [{"lang": "en", "value": "CWE-1385"}]}], "descriptions": [{"lang": "en", "value": "Versions of the package code-server before 4.10.1 are vulnerable to Missing Origin Validation in WebSockets handshakes. Exploiting this vulnerability can allow an adversary in specific scenarios to access data from and connect to the code-server instance."}], "lastModified": "2023-11-07T04:09:22.310", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:coder:code-server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E36A6CC6-DD16-4EC8-8E13-C8A4C2836284", "versionEndExcluding": "4.10.1"}], "operator": "OR"}]}], "sourceIdentifier": "report@snyk.io"}