CVE-2023-49805 — MEDIUM (6.0)

Q: How severe is CVE-2023-49805?

CVE-2023-49805 has been rated MEDIUM with a CVSS base score of 6.0/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2023-49805?

Check the references section above for vendor advisories and patch information. Affected products include: Dockge.Kuma Dockge, Uptime.Kuma Uptime Kuma.

Vulnerability Description

Uptime Kuma is an easy-to-use self-hosted monitoring tool. Prior to version 1.23.9, the application uses WebSocket (with Socket.io), but it does not verify that the source of communication is valid. This allows third-party website to access the application on behalf of their client. When connecting to the server using Socket.IO, the server does not validate the `Origin` header leading to other site being able to open connections to the server and communicate with it. Other websites still need to authenticate to access most features, however this can be used to circumvent firewall protections made in place by people deploying the application. Without origin validation, Javascript executed from another origin would be allowed to connect to the application without any user interaction. Without login credentials, such a connection is unable to access protected endpoints containing sensitive data of the application. However, such a connection may allow attacker to further exploit unseen vulnerabilities of the application. Users with "No-auth" mode configured who are relying on a reverse proxy or firewall to provide protection to the application would be especially vulnerable as it would grant the attacker full access to the application. In version 1.23.9, additional verification of the HTTP Origin header has been added to the socket.io connection handler. By default, if the `Origin` header is present, it would be checked against the Host header. Connection would be denied if the hostnames do not match, which would indicate that the request is cross-origin. Connection would be allowed if the `Origin` header is not present. Users can override this behavior by setting environment variable `UPTIME_KUMA_WS_ORIGIN_CHECK=bypass`.

CVSS Score

6.0

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

LOW

Availability

LOW

Affected Products

Vendor	Product	Versions
Dockge.Kuma	Dockge	< 1.3.3
Uptime.Kuma	Uptime Kuma	< 1.23.9

Related Weaknesses (CWE)

CWE-346 CWE-1385

References

https://github.com/louislam/uptime-kuma/commit/2815cc73cfd9d8ced889e00e728997082Patch
https://github.com/louislam/uptime-kuma/security/advisories/GHSA-mj22-23ff-2hrrExploitVendor Advisory
https://github.com/louislam/uptime-kuma/commit/2815cc73cfd9d8ced889e00e728997082Patch
https://github.com/louislam/uptime-kuma/security/advisories/GHSA-mj22-23ff-2hrrExploitVendor Advisory

FAQ

What is CVE-2023-49805?

CVE-2023-49805 is a vulnerability with a CVSS score of 6.0 (MEDIUM). Uptime Kuma is an easy-to-use self-hosted monitoring tool. Prior to version 1.23.9, the application uses WebSocket (with Socket.io), but it does not verify that the source of communication is valid. T...

How severe is CVE-2023-49805?

CVE-2023-49805 has been rated MEDIUM with a CVSS base score of 6.0/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2023-49805?

Check the references section above for vendor advisories and patch information. Affected products include: Dockge.Kuma Dockge, Uptime.Kuma Uptime Kuma.