제출 #852884: Sipeed PicoClaw Unreleased main branch after launcher introduction commit `e55b3b7a8d0b1ea1522da08fd46155ee4f58b794` and before a fix is merged Improper Access Control (CWE-284)정보

제목Sipeed PicoClaw Unreleased main branch after launcher introduction commit `e55b3b7a8d0b1ea1522da08fd46155ee4f58b794` and before a fix is merged Improper Access Control (CWE-284)
설명# Technical Details An access-control bypass exists in the launcher `IPAllowlist` middleware in `web/backend/middleware/access_control.go` of PicoClaw. The application fails to distinguish the real remote client from a same-host reverse proxy. The middleware trusts `r.RemoteAddr` as client identity and unconditionally allows loopback peers before evaluating configured `allowed_cidrs`. # Vulnerable Code File: `web/backend/middleware/access_control.go` Method: `IPAllowlist`, `clientIPFromRemoteAddr` Why: Uses only the immediate TCP peer from `RemoteAddr` and bypasses CIDR checks when the peer is loopback. File: `web/backend/main.go` Method: launcher middleware setup Why: Installs `IPAllowlist` before dashboard authentication, making this the intended network boundary for launcher routes. # Reproduction 1. Configure the launcher with `public: true` and restrictive `allowed_cidrs`. 2. Place a reverse proxy on the same host that forwards remote traffic to the launcher on `127.0.0.1`. 3. Send a direct non-allowlisted request and observe `403`. 4. Send the same request through the same-host proxy and observe that the launcher accepts it as loopback traffic. # Impact - Bypasses launcher network exposure restrictions. - Exposes endpoints that operators intended to restrict by CIDR. - May expose `/api/auth/status`, `/api/auth/setup`, and other launcher API routes to unauthorized remote clients.
원천⚠️ https://github.com/sipeed/picoclaw/issues/3069
사용자 Eric-d (UID 96861)
제출2026. 06. 09. PM 12:16 (1 월 ago)
모더레이션2026. 07. 09. PM 08:07 (1 month later)
상태수락
VulDB 항목377259 [Sipeed PicoClaw 까지 0.2.9 Launcher access_control.go IPAllowlist 권한 상승]
포인트들20

Do you want to use VulDB in your project?

Use the official API to access entries easily!