提出 #855074: will-moss Isaiah 1.36.9 CWE-862 Missing Authorization情報

タイトルwill-moss Isaiah 1.36.9 CWE-862 Missing Authorization
説明A vulnerability was found in will-moss Isaiah 1.36.9 and classified as high. Affected is the Agent forwarding path in the Server.Handle websocket handler. The manipulation of the websocket command field Agent leads to missing authorization before forwarding commands from the Master node to registered Agent nodes. It is possible to launch the attack remotely against a reachable Master websocket endpoint. Authentication required: no for triggering Master-side forwarding. User interaction required: no. Technical Details - Affected file/function: app/server/server/server.go / Server.Handle - Vulnerable parameter: websocket command field Agent - Attack vector: Network - Privileges required: None for Master-side forwarding - Trigger condition: Isaiah runs in a multi-node deployment as Master and has at least one registered Agent. A raw websocket client sends a command with the Agent field set before authenticating to the Master. The Master forwarding branch is evaluated before the normal authenticated session check. When SERVER_ROLE is Master and command.Agent is not empty, the handler iterates active sessions, selects the Agent session only by Agent.Name, clears command.Agent, overwrites command.Initiator with the current client's server-side session id, writes the command to the Agent session, and returns. The later session.Get("authenticated") authorization gate is not reached for that forwarded command. Direct Agent command execution is conditional. If Agent authentication is enabled, the Agent-side per-initiator authentication state rejects non-auth commands for a new unauthenticated initiator. If Agent authentication is disabled, weak, or known to the attacker, this Master-side bypass can lead to unauthorized Docker resource access and manipulation through the Agent node. Impact - Confidentiality: High when Agent authentication is disabled, weak, or compromised; otherwise limited to Agent probing and authentication responses. - Integrity: Low to High depending on Agent-side authentication and Docker management permissions. - Availability: Low to High depending on reachable Agent actions, such as stopping or modifying containers and stacks. CVSS v3.1 Score: 8.2 (High) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N Timeline - Discovered: 2026-06-10 - Vendor notified: 2026-06-10 - Patch released: [unknown] - Public disclosure: 2026-06-10 Countermeasure Require the Master websocket session to be authenticated before entering the Agent forwarding branch. The Agent forwarding path should be protected by the same authorization gate as normal Master-side commands, while preserving the existing per-Agent authentication flow for already-authenticated Master users.
ソース⚠️ https://github.com/will-moss/isaiah/issues/34
ユーザー
 Dem0000000 (UID 98743)
送信2026年06月10日 15:06 (1 月 ago)
モデレーション2026年07月12日 20:12 (1 month later)
ステータス承諾済み
VulDBエントリ377891 [will-moss Isaiah 迄 1.36.9 Master Websocket server.go Server.Handle Agent 特権昇格]
ポイント20

Want to stay up to date on a daily basis?

Enable the mail alert feature now!