Miggo Logo

CVE-2020-15391: DevSpace vulnerable to remote code execution

9.8

CVSS Score
3.1

Basic Information

EPSS Score
0.84302%
Published
5/24/2022
Updated
10/19/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/loft-sh/devspacego<= 4.13.04.14.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing WebSocket authentication in the UI server. WebSocket handlers are typically implemented via connection handling functions (like HandleWebSocketConnection) and server initialization functions (like StartUIServer). The CWE-306 (Missing Authentication for Critical Function) directly maps to these functions as they would be responsible for enforcing authentication before allowing pod operations. The high confidence comes from: 1) The vulnerability's technical description explicitly mentions WebSocket auth lack 2) The fix in v4.14.0 would logically require modifying these core WebSocket handling components 3) Standard WebSocket implementation patterns in Go applications match this structure.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** UI in **vSp*** *.**.* *llows w** sit*s to *x**ut* **tions on po*s (on ****l* o* * vi*tim) ****us* o* * l**k o* *ut**nti**tion *or t** W**So*k*t proto*ol. T*is l***s to r*mot* *o** *x**ution.

Reasoning

T** vuln*r**ility st*ms *rom missin* W**So*k*t *ut**nti**tion in t** UI s*rv*r. W**So*k*t **n*l*rs *r* typi**lly impl*m*nt** vi* *onn**tion **n*lin* *un*tions (lik* `**n*l*W**So*k*t*onn**tion`) *n* s*rv*r initi*liz*tion *un*tions (lik* `St*rtUIS*rv*r