| عنوان | will-moss Isaiah 1.36.9 CWE-862 Missing Authorization |
|---|
| الوصف | A vulnerability was found in will-moss Isaiah 1.36.9 and classified as high.
Affected is the Agent forwarding path in the Server.Handle websocket handler.
The manipulation of the websocket command field Agent leads to missing
authorization before forwarding commands from the Master node to registered
Agent nodes. It is possible to launch the attack remotely against a reachable
Master websocket endpoint.
Authentication required: no for triggering Master-side forwarding.
User interaction required: no.
Technical Details
- Affected file/function: app/server/server/server.go / Server.Handle
- Vulnerable parameter: websocket command field Agent
- Attack vector: Network
- Privileges required: None for Master-side forwarding
- Trigger condition: Isaiah runs in a multi-node deployment as Master and has at least one registered Agent. A raw websocket client sends a command with the Agent field set before authenticating to the Master.
The Master forwarding branch is evaluated before the normal authenticated
session check. When SERVER_ROLE is Master and command.Agent is not empty, the
handler iterates active sessions, selects the Agent session only by Agent.Name,
clears command.Agent, overwrites command.Initiator with the current client's
server-side session id, writes the command to the Agent session, and returns.
The later session.Get("authenticated") authorization gate is not reached for
that forwarded command.
Direct Agent command execution is conditional. If Agent authentication is
enabled, the Agent-side per-initiator authentication state rejects non-auth
commands for a new unauthenticated initiator. If Agent authentication is
disabled, weak, or known to the attacker, this Master-side bypass can lead to
unauthorized Docker resource access and manipulation through the Agent node.
Impact
- Confidentiality: High when Agent authentication is disabled, weak, or compromised; otherwise limited to Agent probing and authentication responses.
- Integrity: Low to High depending on Agent-side authentication and Docker management permissions.
- Availability: Low to High depending on reachable Agent actions, such as stopping or modifying containers and stacks.
CVSS v3.1
Score: 8.2 (High)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Timeline
- Discovered: 2026-06-10
- Vendor notified: 2026-06-10
- Patch released: [unknown]
- Public disclosure: 2026-06-10
Countermeasure
Require the Master websocket session to be authenticated before entering the
Agent forwarding branch. The Agent forwarding path should be protected by the
same authorization gate as normal Master-side commands, while preserving the
existing per-Agent authentication flow for already-authenticated Master users. |
|---|
| المصدر | ⚠️ https://github.com/will-moss/isaiah/issues/34 |
|---|
| المستخدم | Dem0000000 (UID 98743) |
|---|
| ارسال | 10/06/2026 03:06 PM (1 شهر منذ) |
|---|
| الاعتدال | 12/07/2026 08:12 PM (1 month later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 377891 [will-moss Isaiah حتى 1.36.9 Master Websocket server.go Server.Handle Agent تجاوز الصلاحيات] |
|---|
| النقاط | 20 |
|---|