Common Weakness Enumeration

CWE-610

Discouraged

Externally Controlled Reference to a Resource in Another Sphere

Abstraction: Class · Status: Draft

The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.

278 vulnerabilities reference this CWE, most recent first.

GHSA-55VQ-F28F-XGCC

Vulnerability from github – Published: 2022-05-24 17:49 – Updated: 2022-05-24 17:49
VLAI
Details

Externally controlled reference to a resource in another sphere in quarantine functionality in Synology Antivirus Essential before 1.4.8-2801 allows remote authenticated users to obtain privilege via unspecified vectors.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-27648"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-610"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-04-28T08:15:00Z",
    "severity": "HIGH"
  },
  "details": "Externally controlled reference to a resource in another sphere in quarantine functionality in Synology Antivirus Essential before 1.4.8-2801 allows remote authenticated users to obtain privilege via unspecified vectors.",
  "id": "GHSA-55vq-f28f-xgcc",
  "modified": "2022-05-24T17:49:00Z",
  "published": "2022-05-24T17:49:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27648"
    },
    {
      "type": "WEB",
      "url": "https://www.synology.com/security/advisory/Synology_SA_21_15"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-583G-G682-CRXF

Vulnerability from github – Published: 2024-02-09 15:19 – Updated: 2024-02-09 15:19
VLAI
Summary
Micronaut management endpoints vulnerable to drive-by localhost attack
Details

Summary

Enabled but unsecured management endpoints are susceptible to drive-by localhost attacks. While not typical of a production application, these attacks may have more impact on a development environment where such endpoints may be flipped on without much thought.

Details

A malicious/compromised website can make HTTP requests to localhost. Normally, such requests would trigger a CORS preflight check which would prevent the request; however, some requests are "simple" and do not require a preflight check. These endpoints, if enabled and not secured, are vulnerable to being triggered.

Impact

Production environments typically disable unused endpoints and secure/restrict access to needed endpoints. A more likely victim is the developer in their local development host, who has enabled endpoints without security for the sake of easing development.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.micronaut:micronaut-http-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.8.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.micronaut:micronaut-http-server-netty"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.8.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.micronaut:micronaut-http-server-tck"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.8.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-23639"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-15",
      "CWE-610",
      "CWE-664"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-02-09T15:19:15Z",
    "nvd_published_at": "2024-02-09T01:15:09Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nEnabled but unsecured management endpoints are susceptible to drive-by localhost attacks. While not typical of a production application, these attacks may have more impact on a development environment where such endpoints may be flipped on without much thought.\n\n### Details\nA malicious/compromised website can make HTTP requests to `localhost`. Normally, such requests would trigger a CORS preflight check which would prevent the request; however, some requests are [\"simple\"](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests) and do not require a preflight check. These endpoints, if enabled and not secured, are vulnerable to being triggered.\n\n### Impact\nProduction environments typically disable unused endpoints and secure/restrict access to needed endpoints. A more likely victim is the developer in their local development host, who has enabled endpoints without security for the sake of easing development.\n",
  "id": "GHSA-583g-g682-crxf",
  "modified": "2024-02-09T15:19:15Z",
  "published": "2024-02-09T15:19:15Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/micronaut-projects/micronaut-core/security/advisories/GHSA-583g-g682-crxf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23639"
    },
    {
      "type": "WEB",
      "url": "https://github.com/micronaut-projects/micronaut-core/pull/8642"
    },
    {
      "type": "WEB",
      "url": "https://github.com/micronaut-projects/micronaut-core/commit/01adb21e57137caaf7004313d2055c5a78b1f47b"
    },
    {
      "type": "WEB",
      "url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/micronaut-projects/micronaut-core"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Micronaut management endpoints vulnerable to drive-by localhost attack"
}

GHSA-5C24-6XXH-4R78

Vulnerability from github – Published: 2023-07-06 19:24 – Updated: 2024-04-04 05:30
VLAI
Details

A vulnerability has been identified in syngo Dynamics (All versions < VA40G HF01). syngo Dynamics application server hosts a web service using an operation with improper write access control that could allow to write data in any folder accessible to the account assigned to the website’s application pool.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-42734"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-610",
      "CWE-73"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-17T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability has been identified in syngo Dynamics (All versions \u003c VA40G HF01). syngo Dynamics application server hosts a web service using an operation with improper write access control that could allow to write data in any folder accessible to the account assigned to the website\u2019s application pool.",
  "id": "GHSA-5c24-6xxh-4r78",
  "modified": "2024-04-04T05:30:22Z",
  "published": "2023-07-06T19:24:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42734"
    },
    {
      "type": "WEB",
      "url": "https://www.siemens-healthineers.com/en-us/support-documentation/cybersecurity/shsa-741697"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5FC6-7WPW-JRM9

Vulnerability from github – Published: 2022-09-07 00:01 – Updated: 2026-04-08 18:31
VLAI
Details

The WordPress Infinite Scroll – Ajax Load More plugin for Wordpress is vulnerable to arbitrary file reading in versions up to, and including, 5.5.3 due to insufficient file path validation on the alm_repeaters_export() function. This makes it possible for authenticated attackers, with administrative privileges, to download arbitrary files hosted on the server that may contain sensitive content, such as the wp-config.php file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-2943"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-22",
      "CWE-610",
      "CWE-73"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-09-06T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The WordPress Infinite Scroll \u2013 Ajax Load More plugin for Wordpress is vulnerable to arbitrary file reading in versions up to, and including, 5.5.3 due to insufficient file path validation on the alm_repeaters_export() function. This makes it possible for authenticated attackers, with administrative privileges, to download arbitrary files hosted on the server that may contain sensitive content, such as the wp-config.php file.",
  "id": "GHSA-5fc6-7wpw-jrm9",
  "modified": "2026-04-08T18:31:58Z",
  "published": "2022-09-07T00:01:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2943"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/Xib3rR4dAr/f9a4b4838154854ec6cde7d5deb76bf9"
    },
    {
      "type": "WEB",
      "url": "https://plugins.svn.wordpress.org/ajax-load-more/tags/5.5.4/README.txt"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6d643d07-7533-430b-a1d8-8e66a2a2c5e6?source=cve"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/vulnerability-advisories/#CVE-2022-2943"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5GQQ-CH9P-4H64

Vulnerability from github – Published: 2026-06-09 18:30 – Updated: 2026-06-18 15:31
VLAI
Details

Insufficient configuration management in the listed devices allows authenticated administrators connected to the local network to tamper with the system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-0418"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-15",
      "CWE-610"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-09T17:16:59Z",
    "severity": "MODERATE"
  },
  "details": "Insufficient configuration management in the listed devices\u00a0allows authenticated administrators connected to the local network\nto tamper with the system.",
  "id": "GHSA-5gqq-ch9p-4h64",
  "modified": "2026-06-18T15:31:55Z",
  "published": "2026-06-09T18:30:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0418"
    },
    {
      "type": "WEB",
      "url": "https://www.netgear.com/support/product/rax45"
    },
    {
      "type": "WEB",
      "url": "https://www.netgear.com/support/product/rax48"
    },
    {
      "type": "WEB",
      "url": "https://www.netgear.com/support/product/rax50"
    },
    {
      "type": "WEB",
      "url": "https://www.netgear.com/support/product/rax50s"
    },
    {
      "type": "WEB",
      "url": "https://www.netgear.com/support/product/rax75"
    },
    {
      "type": "WEB",
      "url": "https://www.netgear.com/support/product/rax80"
    },
    {
      "type": "WEB",
      "url": "https://www.netgear.com/support/product/raxe450"
    },
    {
      "type": "WEB",
      "url": "https://www.netgear.com/support/product/raxe500"
    },
    {
      "type": "WEB",
      "url": "https://www.netgear.com/support/product/rbr750"
    },
    {
      "type": "WEB",
      "url": "https://www.netgear.com/support/product/rbr840"
    },
    {
      "type": "WEB",
      "url": "https://www.netgear.com/support/product/rbr850"
    },
    {
      "type": "WEB",
      "url": "https://www.netgear.com/support/product/rbre960"
    },
    {
      "type": "WEB",
      "url": "https://www.netgear.com/support/product/rbs750"
    },
    {
      "type": "WEB",
      "url": "https://www.netgear.com/support/product/rbs840"
    },
    {
      "type": "WEB",
      "url": "https://www.netgear.com/support/product/rbs850"
    },
    {
      "type": "WEB",
      "url": "https://www.netgear.com/support/product/rbse960"
    },
    {
      "type": "WEB",
      "url": "https://www.netgear.com/support/product/rs700"
    },
    {
      "type": "WEB",
      "url": "https://www.netgear.com/support/product/xr1000"
    },
    {
      "type": "WEB",
      "url": "https://kb.netgear.com/000070811/June-2026-NETGEAR-Security-Advisory"
    },
    {
      "type": "WEB",
      "url": "https://www.netgear.com/support/product/cbr750"
    },
    {
      "type": "WEB",
      "url": "https://www.netgear.com/support/product/ex6120"
    },
    {
      "type": "WEB",
      "url": "https://www.netgear.com/support/product/ex6130"
    },
    {
      "type": "WEB",
      "url": "https://www.netgear.com/support/product/mr60"
    },
    {
      "type": "WEB",
      "url": "https://www.netgear.com/support/product/mr70"
    },
    {
      "type": "WEB",
      "url": "https://www.netgear.com/support/product/mr80"
    },
    {
      "type": "WEB",
      "url": "https://www.netgear.com/support/product/ms60"
    },
    {
      "type": "WEB",
      "url": "https://www.netgear.com/support/product/ms70"
    },
    {
      "type": "WEB",
      "url": "https://www.netgear.com/support/product/ms80"
    },
    {
      "type": "WEB",
      "url": "https://www.netgear.com/support/product/rax15"
    },
    {
      "type": "WEB",
      "url": "https://www.netgear.com/support/product/rax20"
    },
    {
      "type": "WEB",
      "url": "https://www.netgear.com/support/product/rax200"
    },
    {
      "type": "WEB",
      "url": "https://www.netgear.com/support/product/rax35v2"
    },
    {
      "type": "WEB",
      "url": "https://www.netgear.com/support/product/rax38v2"
    },
    {
      "type": "WEB",
      "url": "https://www.netgear.com/support/product/rax40v2"
    },
    {
      "type": "WEB",
      "url": "https://www.netgear.com/support/product/rax42"
    },
    {
      "type": "WEB",
      "url": "https://www.netgear.com/support/product/rax43"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:U/V:D/RE:L/U:Amber",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-5H7G-3542-FW4Q

Vulnerability from github – Published: 2022-05-24 17:02 – Updated: 2025-10-22 00:31
VLAI
Details

This external control of file name or path vulnerability allows remote attackers to access or modify system files. To fix the vulnerability, QNAP recommend updating Photo Station to their latest versions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-7195"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-610"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-12-05T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "This external control of file name or path vulnerability allows remote attackers to access or modify system files. To fix the vulnerability, QNAP recommend updating Photo Station to their latest versions.",
  "id": "GHSA-5h7g-3542-fw4q",
  "modified": "2025-10-22T00:31:48Z",
  "published": "2022-05-24T17:02:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-7195"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-7195"
    },
    {
      "type": "WEB",
      "url": "https://www.qnap.com/zh-tw/security-advisory/nas-201911-25"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/157857/QNAP-QTS-And-Photo-Station-6.0.3-Remote-Command-Execution.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5JFQ-8PVR-X22V

Vulnerability from github – Published: 2022-07-18 00:00 – Updated: 2022-07-26 00:00
VLAI
Details

A vulnerability, which was classified as problematic, was found in FileZilla Server up to 0.9.50. This affects an unknown part of the component PORT Handler. The manipulation leads to unintended intermediary. It is possible to initiate the attack remotely. Upgrading to version 0.9.51 is able to address this issue. It is recommended to upgrade the affected component.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2015-10003"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-610"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-07-17T07:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability, which was classified as problematic, was found in FileZilla Server up to 0.9.50. This affects an unknown part of the component PORT Handler. The manipulation leads to unintended intermediary. It is possible to initiate the attack remotely. Upgrading to version 0.9.51 is able to address this issue. It is recommended to upgrade the affected component.",
  "id": "GHSA-5jfq-8pvr-x22v",
  "modified": "2022-07-26T00:00:30Z",
  "published": "2022-07-18T00:00:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-10003"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.97203"
    },
    {
      "type": "WEB",
      "url": "http://www.securitygalore.com/site3/filezilla_ftp_server_advisory"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5M93-GW9J-97FF

Vulnerability from github – Published: 2022-12-19 00:30 – Updated: 2022-12-22 21:30
VLAI
Details

A vulnerability was found in 3D City Database OGC Web Feature Service up to 5.2.1. It has been rated as problematic. This issue affects some unknown processing. The manipulation leads to xml external entity reference. Upgrading to version 5.3.0 is able to address this issue. The name of the patch is 246f4e2a97ad81491c00a7ed72ce5e7c7f75050a. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-216215.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-4607"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-610",
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-12-18T22:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "A vulnerability was found in 3D City Database OGC Web Feature Service up to 5.2.1. It has been rated as problematic. This issue affects some unknown processing. The manipulation leads to xml external entity reference. Upgrading to version 5.3.0 is able to address this issue. The name of the patch is 246f4e2a97ad81491c00a7ed72ce5e7c7f75050a. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-216215.",
  "id": "GHSA-5m93-gw9j-97ff",
  "modified": "2022-12-22T21:30:31Z",
  "published": "2022-12-19T00:30:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4607"
    },
    {
      "type": "WEB",
      "url": "https://github.com/3dcitydb/web-feature-service/pull/12"
    },
    {
      "type": "WEB",
      "url": "https://github.com/3dcitydb/web-feature-service/commit/246f4e2a97ad81491c00a7ed72ce5e7c7f75050a"
    },
    {
      "type": "WEB",
      "url": "https://github.com/3dcitydb/web-feature-service/releases/tag/v5.2.1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/3dcitydb/web-feature-service/releases/tag/v5.3.0"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.216215"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5MQX-RPXV-MVXJ

Vulnerability from github – Published: 2024-07-23 03:30 – Updated: 2026-02-04 18:43
VLAI
Summary
HashiCorp Nomad is vulnerable to path escape through archive unpacking during migration
Details

HashiCorp Nomad and Nomad Enterprise 1.6.12 up to 1.7.9, and 1.8.1 archive unpacking during migration is vulnerable to path escaping of the allocation directory. This vulnerability, CVE-2024-6717, is fixed in Nomad 1.6.13, 1.7.10, and 1.8.2.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/hashicorp/nomad"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.8.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-6717"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-610"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-05T14:59:35Z",
    "nvd_published_at": "2024-07-23T01:15:09Z",
    "severity": "HIGH"
  },
  "details": "HashiCorp Nomad and Nomad Enterprise 1.6.12 up to 1.7.9, and 1.8.1 archive unpacking during migration is vulnerable to path escaping of the allocation directory. This vulnerability, CVE-2024-6717, is fixed in Nomad 1.6.13, 1.7.10, and 1.8.2.",
  "id": "GHSA-5mqx-rpxv-mvxj",
  "modified": "2026-02-04T18:43:12Z",
  "published": "2024-07-23T03:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6717"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hashicorp/nomad/commit/ef6cdec8847e0698d386d1fd3761743df758ef99"
    },
    {
      "type": "WEB",
      "url": "https://discuss.hashicorp.com/t/hcsec-2024-15-nomad-vulnerable-to-allocation-directory-path-escape-through-archive-unpacking/68781"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/hashicorp/nomad"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hashicorp/nomad/releases/tag/v1.8.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "HashiCorp Nomad is vulnerable to path escape through archive unpacking during migration"
}

GHSA-5PH6-QQ5X-7JWC

Vulnerability from github – Published: 2021-08-30 17:22 – Updated: 2021-08-30 16:53
VLAI
Summary
ExternalName Services can be used to gain access to Envoy's admin interface
Details

Impact

Josh Ferrell (@josh-ferrell) from VMware has reported that a specially crafted ExternalName type Service may be used to access Envoy's admin interface, which Contour normally prevents from access outside the Envoy container. This can be used to shut down Envoy remotely (a denial of service), or to expose the existence of any Secret that Envoy is using for its configuration, including most notably TLS Keypairs. However, it cannot be used to get the content of those secrets.

Since this attack allows access to the administration interface, a variety of administration options are available, such as shutting down the Envoy or draining traffic. In general, the Envoy admin interface cannot easily be used for making changes to the cluster, in-flight requests, or backend services, but it could be used to shut down or drain Envoy, change traffic routing, or to retrieve secret metadata, as mentioned above.

Patches

The issue will be addressed in the forthcoming Contour v1.18.0 and a patch release, v1.17.1, has been released in the meantime.

It is addressed in two ways: - disabling ExternalName type Services by default - When ExternalName Services are enabled, block obvious "localhost" entries.

Disable ExternalName type Services by default

This change prohibits processing of ExternalName services unless the cluster operator specifically allows them using the new --enable-externalname flag or equivalent configuration file setting. This is a breaking change for previous versions of Contour, which is unfortunate, but necessary because of the severity of the information exposed in this advisory.

Block obvious localhost entries for enabled ExternalName Services

As part of this change set, we have added a filter in the event that operators do enable ExternalName Services, such that obvious localhost entries are rejected by Contour.

There are a number of problems with this method, however: - This is a porous control. As long as you control a domain name, it's trivially easy to add a DNS entry for any name you like that redirects to 127.0.0.1 or ::1. Contour even provides local.projectcontour.io ourselves for testing and example purposes. (This name is, of course, included in the "obvious localhost entries" list.) So we can never totally stop this exploit as long as the admin interface is accessible on localhost, which, according to envoyproxy/envoy#2763, will be for some time if not forever. The best we can do is block some obvious elements, but this is always a risk for a motivated attacker. - We've actually suggested using localhost ExternalName Services in the past, to allow people to connect to sidecar External Authentication services in their cluster. Both of these changes break this use-case, but given that it's about something that has security requirements high enough to require authentication, it's important to ensure that people are opting in. For the External Auth sidecar case, we are investigating an update to ExtensionService that will help with the sidecar use case.

Workarounds

Not easily. It's not possible to control the creation of ExternalName Services with RBAC without the use of Gatekeeper or other form of admission control, and the creation of services is required for Contour to actually work for application developer personas.

For more information

Exploit code will be published at a later date for this vulnerability, once our users have had a chance to upgrade.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/projectcontour/contour"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.14.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/projectcontour/contour"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.15.0"
            },
            {
              "fixed": "1.15.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/projectcontour/contour"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.16.0"
            },
            {
              "fixed": "1.16.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "1.16.0"
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/projectcontour/contour"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.17.0"
            },
            {
              "fixed": "1.17.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "1.17.0"
      ]
    }
  ],
  "aliases": [
    "CVE-2021-32783"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-610"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-30T16:53:38Z",
    "nvd_published_at": "2021-07-23T22:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nJosh Ferrell (@josh-ferrell) from VMware has reported that a specially crafted ExternalName type Service may be used to access Envoy\u0027s admin interface, which Contour normally prevents from access outside the Envoy container. This can be used to shut down Envoy remotely (a denial of service), or to expose the existence of any Secret that Envoy is using for its configuration, including most notably TLS Keypairs. However, it *cannot* be used to get the *content* of those secrets.\n\nSince this attack allows access to the administration interface, a variety of administration options are available, such as shutting down the Envoy or draining traffic. In general, the Envoy admin interface cannot easily be used for making changes to the cluster, in-flight requests, or backend services, but it could be used to shut down or drain Envoy, change traffic routing, or to retrieve secret metadata, as mentioned above.\n\n### Patches\nThe issue will be addressed in the forthcoming Contour v1.18.0 and a patch release, v1.17.1, has been released in the meantime.\n\nIt is addressed in two ways:\n- disabling ExternalName type Services by default\n- When ExternalName Services are enabled, block obvious \"localhost\" entries.\n\n#### Disable ExternalName type Services by default\n\nThis change prohibits processing of ExternalName services unless the cluster operator specifically allows them using the new `--enable-externalname` flag or equivalent configuration file setting. This is a breaking change for previous versions of Contour, which is unfortunate, but necessary because of the severity of the information exposed in this advisory.\n\n\n#### Block obvious `localhost` entries for enabled ExternalName Services\n\nAs part of this change set, we have added a filter in the event that operators *do* enable ExternalName Services, such that obvious `localhost` entries are rejected by Contour.\n\nThere are a number of problems with this method, however:\n- This is a porous control. As long as you control a domain name, it\u0027s trivially easy to add a DNS entry for any name you like that redirects to `127.0.0.1` or `::1`. Contour even provides `local.projectcontour.io` ourselves for testing and example purposes. (This name is, of course, included in the \"obvious localhost entries\" list.) So we can never totally stop this exploit as long as the admin interface is accessible on localhost, which, according to envoyproxy/envoy#2763, will be for some time if not forever. The best we can do is block some obvious elements, but this is always a risk for a motivated attacker.\n- We\u0027ve actually suggested using `localhost` ExternalName Services in the past, to allow people to connect to sidecar External Authentication services in their cluster. Both of these changes break this use-case, but given that it\u0027s about something that has security requirements high enough to require authentication, it\u0027s important to ensure that people are opting in. For the External Auth sidecar case, we are investigating an update to ExtensionService that will help with the sidecar use case.\n\n### Workarounds\nNot easily. It\u0027s not possible to control the creation of ExternalName Services with RBAC without the use of Gatekeeper or other form of admission control, and the creation of services is required for Contour to actually work for application developer personas.\n\n### For more information\nExploit code will be published at a later date for this vulnerability, once our users have had a chance to upgrade.",
  "id": "GHSA-5ph6-qq5x-7jwc",
  "modified": "2021-08-30T16:53:38Z",
  "published": "2021-08-30T17:22:10Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/projectcontour/contour/security/advisories/GHSA-5ph6-qq5x-7jwc"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32783"
    },
    {
      "type": "WEB",
      "url": "https://github.com/projectcontour/contour/commit/5f3e6d0ab1d48e64bae46400c85c490b200393a3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/projectcontour/contour/commit/b53a5c4fd927f4ea2c6cf02f1359d8e28bef852e"
    },
    {
      "type": "WEB",
      "url": "https://github.com/projectcontour/contour/releases/tag/v1.14.2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/projectcontour/contour/releases/tag/v1.15.2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/projectcontour/contour/releases/tag/v1.16.1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/projectcontour/contour/releases/tag/v1.17.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "ExternalName Services can be used to gain access to Envoy\u0027s admin interface"
}

No mitigation information available for this CWE.

CAPEC-219: XML Routing Detour Attacks

An attacker subverts an intermediate system used to process XML content and forces the intermediate to modify and/or re-route the processing of the content. XML Routing Detour Attacks are Adversary in the Middle type attacks (CAPEC-94). The attacker compromises or inserts an intermediate system in the processing of the XML message. For example, WS-Routing can be used to specify a series of nodes or intermediaries through which content is passed. If any of the intermediate nodes in this route are compromised by an attacker they could be used for a routing detour attack. From the compromised system the attacker is able to route the XML process to other nodes of their choice and modify the responses so that the normal chain of processing is unaware of the interception. This system can forward the message to an outside entity and hide the forwarding and processing from the legitimate processing systems by altering the header information.