louislam uptime-kuma up to 1.23.8 environment missing origin validation in websockets

Summaryinfo

A vulnerability identified as problematic has been detected in louislam uptime-kuma up to 1.23.8. Impacted is an unknown function. This manipulation of the argument environment causes missing origin validation in websockets. This vulnerability is tracked as CVE-2023-49805. The attack is possible to be carried out remotely. No exploit exists. You should upgrade the affected component.

Detailsinfo

A vulnerability was found in louislam uptime-kuma up to 1.23.8. It has been declared as problematic. Affected by this vulnerability is some unknown functionality. The manipulation of the argument environment with an unknown input leads to a missing origin validation in websockets vulnerability. The CWE definition for the vulnerability is CWE-1385. The product uses a WebSocket, but it does not properly verify that the source of data or communication is valid. As an impact it is known to affect confidentiality, integrity, and availability. The summary by CVE is:

Uptime Kuma is an easy-to-use self-hosted monitoring tool. Prior to version 1.23.9, the application uses WebSocket (with Socket.io), but it does not verify that the source of communication is valid. This allows third-party website to access the application on behalf of their client. When connecting to the server using Socket.IO, the server does not validate the `Origin` header leading to other site being able to open connections to the server and communicate with it. Other websites still need to authenticate to access most features, however this can be used to circumvent firewall protections made in place by people deploying the application. Without origin validation, Javascript executed from another origin would be allowed to connect to the application without any user interaction. Without login credentials, such a connection is unable to access protected endpoints containing sensitive data of the application. However, such a connection may allow attacker to further exploit unseen vulnerabilities of the application. Users with "No-auth" mode configured who are relying on a reverse proxy or firewall to provide protection to the application would be especially vulnerable as it would grant the attacker full access to the application. In version 1.23.9, additional verification of the HTTP Origin header has been added to the socket.io connection handler. By default, if the `Origin` header is present, it would be checked against the Host header. Connection would be denied if the hostnames do not match, which would indicate that the request is cross-origin. Connection would be allowed if the `Origin` header is not present. Users can override this behavior by setting environment variable `UPTIME_KUMA_WS_ORIGIN_CHECK=bypass`.

The weakness was disclosed 12/12/2023 by Firewall as GHSA-mj22-23ff-2hrr. The advisory is shared at github.com. This vulnerability is known as CVE-2023-49805 since 11/30/2023. Technical details are known, but no exploit is available.

Upgrading to version 1.23.9 eliminates this vulnerability. Applying the patch 2815cc73cfd9d8ced889e00e72899708220d184f is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Productinfo

Vendor

• louislam

Name

• uptime-kuma

Version

• 1.23.0
• 1.23.1
• 1.23.2
• 1.23.3
• 1.23.4
• 1.23.5
• 1.23.6
• 1.23.7
• 1.23.8

License

• open-source

Website

• Product: https://github.com/louislam/uptime-kuma/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Discussion