lukehutch Gribbit HttpRequestHandler.java messageReceived missing origin validation in websockets

A vulnerability was found in lukehutch Gribbit. It has been classified as problematic. Affected is the function messageReceived of the file src/gribbit/request/HttpRequestHandler.java. The manipulation leads to missing origin validation in websockets. Using CWE to declare the problem leads to CWE-1385. The weakness was released 01/09/2023 as 620418df247aebda3dd4be1dda10fe229ea505dd. The advisory is shared for download at github.com. This vulnerability is traded as CVE-2014-125071. The attack can only be initiated within the local network. Technical details are available. There is no exploit available. The current price for an exploit might be approx. USD $0-$5k at the moment. It is declared as not defined. As 0-day the estimated underground price was around $0-$5k. The name of the patch is 620418df247aebda3dd4be1dda10fe229ea505dd. The bugfix is ready for download at github.com. It is recommended to apply a patch to fix this issue. A possible mitigation has been published even before and not after the disclosure of the vulnerability.

Field01/09/2023 21:5001/30/2023 15:34
vendorlukehutchlukehutch
nameGribbitGribbit
filesrc/gribbit/request/HttpRequestHandler.javasrc/gribbit/request/HttpRequestHandler.java
functionmessageReceivedmessageReceived
cwe1385 (missing origin validation in websockets)1385 (missing origin validation in websockets)
risk11
cvss3_vuldb_acLL
cvss3_vuldb_sUU
cvss3_vuldb_cLL
cvss3_vuldb_iLL
cvss3_vuldb_aLL
cvss3_vuldb_rlOO
cvss3_vuldb_rcCC
identifier620418df247aebda3dd4be1dda10fe229ea505dd620418df247aebda3dd4be1dda10fe229ea505dd
urlhttps://github.com/lukehutch/gribbit/commit/620418df247aebda3dd4be1dda10fe229ea505ddhttps://github.com/lukehutch/gribbit/commit/620418df247aebda3dd4be1dda10fe229ea505dd
namePatchPatch
patch_name620418df247aebda3dd4be1dda10fe229ea505dd620418df247aebda3dd4be1dda10fe229ea505dd
patch_urlhttps://github.com/lukehutch/gribbit/commit/620418df247aebda3dd4be1dda10fe229ea505ddhttps://github.com/lukehutch/gribbit/commit/620418df247aebda3dd4be1dda10fe229ea505dd
advisoryquoteProtect against CSWSH: (Cross-Site WebSocket Hijacking)Protect against CSWSH: (Cross-Site WebSocket Hijacking)
cveCVE-2014-125071CVE-2014-125071
responsibleVulDBVulDB
date1673218800 (01/09/2023)1673218800 (01/09/2023)
cvss2_vuldb_acLL
cvss2_vuldb_ciPP
cvss2_vuldb_iiPP
cvss2_vuldb_aiPP
cvss2_vuldb_rcCC
cvss2_vuldb_rlOFOF
cvss2_vuldb_avAA
cvss2_vuldb_auSS
cvss2_vuldb_eNDND
cvss3_vuldb_avAA
cvss3_vuldb_prLL
cvss3_vuldb_uiNN
cvss3_vuldb_eXX
cvss2_vuldb_basescore5.25.2
cvss2_vuldb_tempscore4.54.5
cvss3_vuldb_basescore5.55.5
cvss3_vuldb_tempscore5.35.3
cvss3_meta_basescore5.55.5
cvss3_meta_tempscore5.35.3
price_0day$0-$5k$0-$5k
cve_assigned1673218800 (01/09/2023)
cve_nvd_summaryA vulnerability was found in lukehutch Gribbit. It has been classified as problematic. Affected is the function messageReceived of the file src/gribbit/request/HttpRequestHandler.java. The manipulation leads to missing origin validation in websockets. The name of the patch is 620418df247aebda3dd4be1dda10fe229ea505dd. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-217716.

Do you know our Splunk app?

Download it now for free!