Vulnerability Description
Mycroft AI mycroft-core version 18.2.8b and earlier contains a Incorrect Access Control vulnerability in Websocket configuration that can result in code execution. This impacts ONLY the Mycroft for Linux and "non-enclosure" installs - Mark 1 and Picroft unaffected. This attack appear to be exploitable remote access to the unsecured websocket server. This vulnerability appears to have been fixed in No fix currently available.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mycroft | Mycroft-Core | <= 18.2.8b |
| Linux | Linux Kernel | - |
Related Weaknesses (CWE)
References
- https://community.mycroft.ai/t/zero-click-remote-code-execution-in-mycroft-ai-voVendor Advisory
- https://github.com/Nhoya/MycroftAI-RCEExploitThird Party Advisory
- https://community.mycroft.ai/t/zero-click-remote-code-execution-in-mycroft-ai-voVendor Advisory
- https://github.com/Nhoya/MycroftAI-RCEExploitThird Party Advisory
FAQ
What is CVE-2018-1000621?
CVE-2018-1000621 is a vulnerability with a CVSS score of 8.1 (HIGH). Mycroft AI mycroft-core version 18.2.8b and earlier contains a Incorrect Access Control vulnerability in Websocket configuration that can result in code execution. This impacts ONLY the Mycroft for Li...
How severe is CVE-2018-1000621?
CVE-2018-1000621 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-1000621?
Check the references section above for vendor advisories and patch information. Affected products include: Mycroft Mycroft-Core, Linux Linux Kernel.