提交 #852965: Sipeed PicoClaw <= v0.2.9 Authentication Bypass Using an Alternate Path or Channel (CWE-288)信息

标题Sipeed PicoClaw <= v0.2.9 Authentication Bypass Using an Alternate Path or Channel (CWE-288)
描述# Technical Details An authentication and network-policy bypass exists in launcher first-run setup in `web/backend/middleware/access_control.go`, `web/backend/api/auth.go`, and `web/backend/main.go` of PicoClaw. The application fails to enforce `allowed_cidrs` for requests relayed through a same-host loopback proxy. `IPAllowlist` unconditionally trusts loopback peers before checking configured CIDRs, and `handleSetup` allows unauthenticated password initialization while the launcher password store is uninitialized. # Vulnerable Code File: `web/backend/middleware/access_control.go` Method: `IPAllowlist` Why: Allows any request whose immediate `RemoteAddr` is loopback before evaluating `allowed_cidrs`. File: `web/backend/api/auth.go` Method: `handleSetup` Why: Allows anyone who can reach `/api/auth/setup` to initialize the dashboard password on a fresh launcher. File: `web/backend/main.go` Method: launcher route wiring Why: Registers `/api/auth/setup` and places the mux behind `IPAllowlist`, so the loopback-trust decision directly gates first-run authentication setup. # Reproduction 1. Configure launcher with `public: true` and an `allowed_cidrs` value excluding the attacker IP. 2. Start a fresh launcher with no existing dashboard password. 3. Confirm a direct request to `/api/auth/setup` from a non-allowed host IP returns `403`. 4. Relay the same request through a same-host loopback proxy or TCP forwarder. 5. Observe the proxied setup request returns `200 {"status":"ok"}` and `/api/auth/status` changes to `initialized:true`. # Impact - Allows remote unauthenticated initialization of the launcher dashboard password on fresh instances. - Bypasses network restrictions operators configured with `allowed_cidrs`. - Enables takeover of launcher admin functionality, including configuration changes, credential management, gateway lifecycle actions, and other admin-plane API access.
来源⚠️ https://github.com/sipeed/picoclaw/issues/3080
用户
 Eric-i (UID 97584)
提交2026-06-09 13時33分 (1 月前)
管理2026-07-18 09時23分 (1 month later)
状态已接受
VulDB条目380014 [Sipeed PicoClaw 直到 0.2.9 First Run Setup access_control.go allowed_cidrs 弱身份验证]
积分20

Do you know our Splunk app?

Download it now for free!