إرسال #855074: will-moss Isaiah 1.36.9 CWE-862 Missing Authorizationالمعلومات

عنوانwill-moss Isaiah 1.36.9 CWE-862 Missing Authorization
الوصفA vulnerability was found in will-moss Isaiah 1.36.9 and classified as high. Affected is the Agent forwarding path in the Server.Handle websocket handler. The manipulation of the websocket command field Agent leads to missing authorization before forwarding commands from the Master node to registered Agent nodes. It is possible to launch the attack remotely against a reachable Master websocket endpoint. Authentication required: no for triggering Master-side forwarding. User interaction required: no. Technical Details - Affected file/function: app/server/server/server.go / Server.Handle - Vulnerable parameter: websocket command field Agent - Attack vector: Network - Privileges required: None for Master-side forwarding - Trigger condition: Isaiah runs in a multi-node deployment as Master and has at least one registered Agent. A raw websocket client sends a command with the Agent field set before authenticating to the Master. The Master forwarding branch is evaluated before the normal authenticated session check. When SERVER_ROLE is Master and command.Agent is not empty, the handler iterates active sessions, selects the Agent session only by Agent.Name, clears command.Agent, overwrites command.Initiator with the current client's server-side session id, writes the command to the Agent session, and returns. The later session.Get("authenticated") authorization gate is not reached for that forwarded command. Direct Agent command execution is conditional. If Agent authentication is enabled, the Agent-side per-initiator authentication state rejects non-auth commands for a new unauthenticated initiator. If Agent authentication is disabled, weak, or known to the attacker, this Master-side bypass can lead to unauthorized Docker resource access and manipulation through the Agent node. Impact - Confidentiality: High when Agent authentication is disabled, weak, or compromised; otherwise limited to Agent probing and authentication responses. - Integrity: Low to High depending on Agent-side authentication and Docker management permissions. - Availability: Low to High depending on reachable Agent actions, such as stopping or modifying containers and stacks. CVSS v3.1 Score: 8.2 (High) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N Timeline - Discovered: 2026-06-10 - Vendor notified: 2026-06-10 - Patch released: [unknown] - Public disclosure: 2026-06-10 Countermeasure Require the Master websocket session to be authenticated before entering the Agent forwarding branch. The Agent forwarding path should be protected by the same authorization gate as normal Master-side commands, while preserving the existing per-Agent authentication flow for already-authenticated Master users.
المصدر⚠️ https://github.com/will-moss/isaiah/issues/34
المستخدم
 Dem0000000 (UID 98743)
ارسال10/06/2026 03:06 PM (1 شهر منذ)
الاعتدال12/07/2026 08:12 PM (1 month later)
الحالةتمت الموافقة
إدخال VulDB377891 [will-moss Isaiah حتى 1.36.9 Master Websocket server.go Server.Handle Agent تجاوز الصلاحيات]
النقاط20

Interested in the pricing of exploits?

See the underground prices here!