CVE-2023-26114 – code-server

Package

Manager: npm
Name: code-server
Vulnerable Version: >=0 <4.10.1

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00052 pctl0.16008

Details

code-server vulnerable to Missing Origin Validation in WebSockets Versions of the package code-server before 4.10.1 are vulnerable to Missing Origin Validation in WebSockets handshakes. Exploiting this vulnerability can allow an adversary in specific scenarios to access data from and connect to the code-server instance.

Metadata

Created: 2023-03-23T06:30:15Z
Modified: 2023-03-27T22:32:09Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-frjg-g767-7363/GHSA-frjg-g767-7363.json
CWE IDs: ["CWE-1385", "CWE-346"]
Alternative ID: GHSA-frjg-g767-7363
Finding: F184
Auto approve: 1