提出 #852942: Sipeed PicoClaw <= 0.2.9 Missing Authorization (CWE-862)情報

タイトルSipeed PicoClaw <= 0.2.9 Missing Authorization (CWE-862)
説明# Technical Details A missing authorization vulnerability exists in the Pico WebSocket command path in `pkg/channels/pico/pico.go`, `pkg/agent/agent_command.go`, and `pkg/commands/cmd_reload.go` of PicoClaw. The application fails to restrict the privileged `/reload` command to administrative channels. Any authenticated Pico WebSocket client can send normal chat content `/reload`, which is routed into the command executor and triggers the live gateway reload callback. # Vulnerable Code File: `pkg/channels/pico/pico.go` Method: `handleMessageSend` Why: Accepts authenticated Pico `message.send` content and forwards it into the generic inbound agent pipeline. File: `pkg/agent/agent_command.go` Method: command dispatch path Why: Routes any slash-prefixed inbound chat content into the command executor without checking privilege. File: `pkg/commands/cmd_reload.go` Method: `reloadCommand` Why: Invokes `rt.ReloadConfig()` without channel, role, or admin authorization. # Reproduction 1. Run PicoClaw <= 0.2.9 with the Pico channel enabled. 2. Connect to `/pico/ws` using a valid Pico token. 3. Send a `message.send` payload whose content is `/reload`. 4. Observe a response such as `Config reload triggered!`. 5. Confirm unauthenticated direct HTTP `POST /reload` remains protected with `401`, showing the chat path bypasses the intended management authorization. # Impact - Lets lower-privileged authenticated Pico chat clients invoke an administrative runtime action. - Can disrupt availability by repeatedly reloading gateway configuration. - Can interfere with administrator changes and runtime state.
ソース⚠️ https://github.com/sipeed/picoclaw/issues/3071
ユーザー
 Eric-i (UID 97584)
送信2026年06月09日 13:28 (1 月 ago)
モデレーション2026年07月09日 20:07 (1 month later)
ステータス承諾済み
VulDBエントリ377260 [Sipeed PicoClaw 迄 0.2.9 pico.go rt.ReloadConfig message.send 特権昇格]
ポイント20

Do you want to use VulDB in your project?

Use the official API to access entries easily!