Miggo Logo
Miggo Vulnerability Database
CVE-2024-23823

CVE-2024-23823: vantage6's CORS settings overly permissive

4.2

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-23823
GHSA ID
GHSA-4946-85pr-fvxh
EPSS Score
0.17901%
CWE
CWE-863
Published
3/15/2024
Updated
3/15/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
vantage6pip<= 4.2.24.3.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from two key functions:

  1. The init method configured Flask-CORS with unrestricted origins via 'CORS(self.app)', which defaults to allowing all domains.
  2. The setup_socket_connection method explicitly set SocketIO's CORS policy to '*' (all origins). Both functions failed to enforce origin restrictions, aligning with CWE-942. The commit diff shows both locations were patched to use configurable origins instead of hardcoded wildcards.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T** v*nt**** s*rv*r **s no r*stri*tions on *ORS s*ttin*s. It s*oul* ** possi*l* *or p*opl* to s*t t** *llow** ori*ins o* t** s*rv*r. T** imp**t is limit** ****us* v* *o*s not us* s*ssion *ooki*s ### P*t***s No ### Work*roun*s No

Reasoning

T** vuln*r**ility st*ms *rom two k*y *un*tions: *. T** __init__ m*t*o* *on*i*ur** *l*sk-*ORS wit* unr*stri*t** ori*ins vi* '*ORS(s*l*.*pp)', w*i** ****ults to *llowin* *ll *om*ins. *. T** s*tup_so*k*t_*onn**tion m*t*o* *xpli*itly s*t So*k*tIO's *ORS