| 标题 | SonicCloudOrg SonicServer 2.7.2 Code Injection |
|---|
| 描述 | The POST /exchange/send endpoint in sonic-server-controller is annotated with @WhiteUrl, which causes the platform's JWT authentication filter to unconditionally skip authentication for this endpoint. Any unauthenticated attacker can POST arbitrary JSON payloads to this endpoint, which are forwarded verbatim into the internal Transport WebSocket channel shared between the server and all connected Agents.
This allows an attacker to inject any internal protocol message — including runStep (triggering test execution), stopStep, or device control commands — without possessing any credentials.
When chained with V-S002 (Groovy unsandboxed execution), this vulnerability enables zero-authentication remote code execution on every Agent host managed by the Sonic Server. |
|---|
| 来源 | ⚠️ https://github.com/xpp3901/CVE_APPLY/blob/main/V-S001_SonicCloudPlatform_Unauth_ExchangeSend |
|---|
| 用户 | xpp39 (UID 97299) |
|---|
| 提交 | 2026-06-01 05時30分 (1 月前) |
|---|
| 管理 | 2026-07-11 14時24分 (1 month later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 377804 [SonicCloudOrg sonic-agent 直到 2.7.2 JWT Authentication Filter ExchangeController.java 权限提升] |
|---|
| 积分 | 20 |
|---|