| عنوان | will-moss Isaiah 1.36.9 CWE-287 Improper Authentication |
|---|
| الوصف | A vulnerability was found in will-moss Isaiah 1.36.9. The issue is classified as high severity Improper Authentication.
Affected is the websocket connection authentication logic in the Forward Proxy Authentication feature. When FORWARD_PROXY_AUTHENTICATION_ENABLED is set to true, Isaiah reads the configured HTTP request header from the websocket handshake and marks the session as authenticated when the header value is non-empty and either matches FORWARD_PROXY_AUTHENTICATION_HEADER_VALUE or the configured value is "*".
The authentication decision is based only on the client-supplied header value. The application does not verify that the request originated from a configured trusted proxy address, and the decision is not bound to a proxy-validated session, nonce, or other server-side trust context. If the Isaiah backend websocket endpoint is reachable directly by an untrusted client, or if a reverse proxy forwards a user-controlled authentication header instead of overwriting or stripping it, an unauthenticated remote attacker can supply the configured header and bypass the normal password authentication flow.
This issue is deployment-sensitive. A strictly isolated backend that is reachable only from a trusted reverse proxy, with the proxy overwriting or stripping user-supplied identity headers, mitigates external exploitation. The application itself currently does not enforce that trust boundary.
Authentication required: no.
User interaction required: no.
Technical Details
- Affected file/function: app/main.go / websocket HandleConnect forward proxy authentication block
- Vulnerable parameter: configured HTTP request header selected by FORWARD_PROXY_AUTHENTICATION_HEADER_KEY, default Remote-User
- Attack vector: Network
- Privileges required: None
- Trigger condition: Forward Proxy Authentication is enabled and the backend /ws endpoint is reachable outside a strictly trusted proxy path, or the proxy passes user-controlled authentication headers
Impact
- Confidentiality: High. An attacker may access Docker resource metadata, container logs, container configuration, and environment variables, which may contain secrets.
- Integrity: High. An attacker may perform authenticated Docker management operations exposed by Isaiah, depending on deployment permissions.
- Availability: High. An attacker may stop, restart, remove, or otherwise disrupt managed Docker resources where those actions are available.
CVSS v3.1
Score: 8.1 (High)
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Timeline
- Discovered: 2026-06-10
- Vendor notified: 2026-06-10
- Patch released: [unknown]
- Public disclosure: 2026-06-10
Countermeasure
Restrict Isaiah backend access to trusted reverse proxies only. The application should verify that Forward Proxy Authentication headers are accepted only from configured trusted proxy addresses, and deployments should ensure that the proxy overwrites or strips user-supplied identity headers. Avoid using a wildcard accepted header value unless the trusted proxy boundary is strictly enforced. |
|---|
| المصدر | ⚠️ https://github.com/will-moss/isaiah/issues/33 |
|---|
| المستخدم | Dem0000000 (UID 98743) |
|---|
| ارسال | 10/06/2026 03:09 PM (1 شهر منذ) |
|---|
| الاعتدال | 12/07/2026 08:13 PM (1 month later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 377892 [will-moss Isaiah حتى 1.36.9 Websocket Connection Authentication app/main.go توثيق ضعيف] |
|---|
| النقاط | 20 |
|---|