CWE-749
AllowedExposed Dangerous Method or Function
Abstraction: Base · Status: Incomplete
The product provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted.
304 vulnerabilities reference this CWE, most recent first.
GHSA-88CV-G9GQ-H6PQ
Vulnerability from github – Published: 2025-12-04 21:31 – Updated: 2025-12-04 21:31Cross-site scripting (XSS) vulnerability in a reachable files_pdfviewer example directory in Nextcloud with versions before 22.2.10.33, 23.0.12.29, 24.0.12.28, 25.0.13.23, 26.0.13.20, 27.1.11.20, 28.0.14.11, 29.0.16.8, 30.0.17, 31.0.10, and 32.0.1 allows attackers to execute arbitrary JavaScript in the context of a user's browser via a crafted PDF file to viewer.html. This issue is related to CVE-2024-4367, but the root cause of this Nextcloud issue is that the product exposes executable example code on a same-origin basis.
{
"affected": [],
"aliases": [
"CVE-2025-59788"
],
"database_specific": {
"cwe_ids": [
"CWE-749",
"CWE-79"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-04T19:16:04Z",
"severity": "MODERATE"
},
"details": "Cross-site scripting (XSS) vulnerability in a reachable files_pdfviewer example directory in Nextcloud with versions before 22.2.10.33, 23.0.12.29, 24.0.12.28, 25.0.13.23, 26.0.13.20, 27.1.11.20, 28.0.14.11, 29.0.16.8, 30.0.17, 31.0.10, and 32.0.1 allows attackers to execute arbitrary JavaScript in the context of a user\u0027s browser via a crafted PDF file to viewer.html. This issue is related to CVE-2024-4367, but the root cause of this Nextcloud issue is that the product exposes executable example code on a same-origin basis.",
"id": "GHSA-88cv-g9gq-h6pq",
"modified": "2025-12-04T21:31:04Z",
"published": "2025-12-04T21:31:04Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-24wp-p865-7j4r"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59788"
},
{
"type": "WEB",
"url": "https://nextcloud.com"
},
{
"type": "WEB",
"url": "https://www.redteam-pentesting.de/en/advisories/rt-sa-2025-003"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-88JQ-MX6C-FWFM
Vulnerability from github – Published: 2024-05-03 03:30 – Updated: 2024-05-03 03:30Foxit PDF Editor DOC File Parsing Exposed Dangerous Method Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the parsing of DOC files. The issue results from the lack of proper restrictions on macro-enabled documents. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-19739.
{
"affected": [],
"aliases": [
"CVE-2023-27365"
],
"database_specific": {
"cwe_ids": [
"CWE-749"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-03T02:15:14Z",
"severity": "HIGH"
},
"details": "Foxit PDF Editor DOC File Parsing Exposed Dangerous Method Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of DOC files. The issue results from the lack of proper restrictions on macro-enabled documents. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-19739.",
"id": "GHSA-88jq-mx6c-fwfm",
"modified": "2024-05-03T03:30:49Z",
"published": "2024-05-03T03:30:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27365"
},
{
"type": "WEB",
"url": "https://www.foxit.com/support/security-bulletins.html"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-23-493"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8JFC-9MV9-FVF7
Vulnerability from github – Published: 2024-05-03 03:30 – Updated: 2024-05-03 03:30LG Simple Editor copyContent Exposed Dangerous Function Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of LG Simple Editor. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the implementation of the copyContent command. The issue results from an exposed dangerous function. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-19945.
{
"affected": [],
"aliases": [
"CVE-2023-40501"
],
"database_specific": {
"cwe_ids": [
"CWE-749"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-03T03:15:24Z",
"severity": "CRITICAL"
},
"details": "LG Simple Editor copyContent Exposed Dangerous Function Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of LG Simple Editor. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the implementation of the copyContent command. The issue results from an exposed dangerous function. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-19945.",
"id": "GHSA-8jfc-9mv9-fvf7",
"modified": "2024-05-03T03:30:58Z",
"published": "2024-05-03T03:30:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40501"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1217"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8MV3-37RC-PVXJ
Vulnerability from github – Published: 2025-01-14 15:42 – Updated: 2025-05-21 14:15Problem
A vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality is susceptible to Cross-Site Request Forgery (CSRF). Additionally, state-changing actions in downstream components incorrectly accepted submissions via HTTP GET and did not enforce the appropriate HTTP method.
Successful exploitation of this vulnerability requires the victim to have an active session on the backend user interface and to be deceived into interacting with a malicious URL targeting the backend, which can occur under the following conditions:
- the user opens a malicious link, such as one sent via email.
- the user visits a compromised or manipulated website while the following settings are misconfigured:
security.backend.enforceReferrerfeature is disabled,BE/cookieSameSiteconfiguration is set tolaxornone
The vulnerability in the affected downstream component “DB Check Module” allows attackers to manipulate data through unauthorized actions.
Solution
Update to TYPO3 versions 11.5.42 ELTS that fixes the problem described.
Credits
Thanks to Gabriel Dimitrov who reported this issue and to TYPO3 core and security members Benjamin Franzke, Oliver Hader, Andreas Kienast, Torben Hansen, Elias Häußler who fixed the issue.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 11.5.41"
},
"package": {
"ecosystem": "Packagist",
"name": "typo3/cms-lowlevel"
},
"ranges": [
{
"events": [
{
"introduced": "11.0.0"
},
{
"fixed": "11.5.42"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-55945"
],
"database_specific": {
"cwe_ids": [
"CWE-352",
"CWE-749"
],
"github_reviewed": true,
"github_reviewed_at": "2025-01-14T15:42:50Z",
"nvd_published_at": "2025-01-14T20:15:30Z",
"severity": "MODERATE"
},
"details": "### Problem\nA vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality is susceptible to Cross-Site Request Forgery (CSRF). Additionally, state-changing actions in downstream components incorrectly accepted submissions via HTTP GET and did not enforce the appropriate HTTP method.\n\nSuccessful exploitation of this vulnerability requires the victim to have an active session on the backend user interface and to be deceived into interacting with a malicious URL targeting the backend, which can occur under the following conditions:\n\n* the user opens a malicious link, such as one sent via email.\n* the user visits a compromised or manipulated website while the following settings are misconfigured:\n + `security.backend.enforceReferrer` feature is disabled,\n + `BE/cookieSameSite` configuration is set to `lax` or `none`\n\nThe vulnerability in the affected downstream component \u201cDB Check Module\u201d allows attackers to manipulate data through unauthorized actions.\n\n### Solution\nUpdate to TYPO3 versions 11.5.42 ELTS that fixes the problem described.\n\n### Credits\nThanks to Gabriel Dimitrov who reported this issue and to TYPO3 core and security members Benjamin Franzke, Oliver Hader, Andreas Kienast, Torben Hansen, Elias H\u00e4u\u00dfler who fixed the issue.",
"id": "GHSA-8mv3-37rc-pvxj",
"modified": "2025-05-21T14:15:53Z",
"published": "2025-01-14T15:42:50Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/TYPO3/typo3/security/advisories/GHSA-8mv3-37rc-pvxj"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-55945"
},
{
"type": "PACKAGE",
"url": "https://github.com/TYPO3-CMS/lowlevel"
},
{
"type": "WEB",
"url": "https://typo3.org/security/advisory/typo3-core-sa-2025-010"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "TYPO3 DB Check Module vulnerable to Cross-Site Request Forgery"
}
GHSA-92CG-GHQ6-9587
Vulnerability from github – Published: 2023-12-12 03:31 – Updated: 2024-09-30 18:52Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-m8rw-rcpq-2vp2. This link is maintained to preserve external references.
Original Description
SAP BTP Security Services Integration Library ([Golang] github.com/sap/cloud-security-client-go) - versions < 0.17.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/sap/cloud-security-client-go"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.17.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-269",
"CWE-639",
"CWE-749"
],
"github_reviewed": true,
"github_reviewed_at": "2023-12-15T03:39:45Z",
"nvd_published_at": "2023-12-12T03:15:07Z",
"severity": "CRITICAL"
},
"details": "## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-m8rw-rcpq-2vp2. This link is maintained to preserve external references.\n\n## Original Description\nSAP\u00a0BTP\u00a0Security Services Integration Library ([Golang] github.com/sap/cloud-security-client-go) - versions \u003c 0.17.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application.\n\n",
"id": "GHSA-92cg-ghq6-9587",
"modified": "2024-09-30T18:52:24Z",
"published": "2023-12-12T03:31:45Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/SAP/cloud-security-services-integration-library/security/advisories/GHSA-59c9-pxq8-9c73"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50424"
},
{
"type": "WEB",
"url": "https://github.com/SAP/cloud-security-client-go/commit/2e3bd63e152e09f267316a1071034eb5d4b7f498"
},
{
"type": "WEB",
"url": "https://blogs.sap.com/2023/12/12/unveiling-critical-security-updates-sap-btp-security-note-3411067"
},
{
"type": "PACKAGE",
"url": "https://github.com/SAP/cloud-security-client-go"
},
{
"type": "WEB",
"url": "https://me.sap.com/notes/3411067"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/github.com/sap/cloud-security-client-go@v0.17.0"
},
{
"type": "WEB",
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Duplicate Advisory: Privilege escalation in sap/cloud-security-client-go",
"withdrawn": "2024-09-30T18:52:24Z"
}
GHSA-98WF-PJ2G-84XF
Vulnerability from github – Published: 2025-12-24 00:30 – Updated: 2025-12-24 00:30RealDefense SUPERAntiSpyware Exposed Dangerous Function Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of RealDefense SUPERAntiSpyware. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
The specific flaw exists within the SAS Core Service. The issue results from an exposed dangerous function. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-27668.
{
"affected": [],
"aliases": [
"CVE-2025-14492"
],
"database_specific": {
"cwe_ids": [
"CWE-749"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-23T22:15:50Z",
"severity": "HIGH"
},
"details": "RealDefense SUPERAntiSpyware Exposed Dangerous Function Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of RealDefense SUPERAntiSpyware. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.\n\nThe specific flaw exists within the SAS Core Service. The issue results from an exposed dangerous function. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-27668.",
"id": "GHSA-98wf-pj2g-84xf",
"modified": "2025-12-24T00:30:15Z",
"published": "2025-12-24T00:30:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14492"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-25-1172"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9FFH-XXX5-C8PC
Vulnerability from github – Published: 2024-05-03 03:31 – Updated: 2024-05-03 03:31Voltronic Power ViewPower setShutdown Exposed Dangerous Method Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Voltronic Power ViewPower. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
The specific flaw exists within the setShutdown method. The issue results from an exposed dangerous method. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-22023.
{
"affected": [],
"aliases": [
"CVE-2023-51577"
],
"database_specific": {
"cwe_ids": [
"CWE-749"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-03T03:16:17Z",
"severity": "HIGH"
},
"details": "Voltronic Power ViewPower setShutdown Exposed Dangerous Method Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Voltronic Power ViewPower. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.\n\nThe specific flaw exists within the setShutdown method. The issue results from an exposed dangerous method. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-22023.",
"id": "GHSA-9ffh-xxx5-c8pc",
"modified": "2024-05-03T03:31:07Z",
"published": "2024-05-03T03:31:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51577"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1883"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9H94-Q24V-4V27
Vulnerability from github – Published: 2026-03-05 18:31 – Updated: 2026-03-25 18:31Missing Authorization vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android (Flutter URI scheme handler, config import modules) allows Application API Message Manipulation via Man-in-the-Middle. This vulnerability is associated with program files flutter/lib/common.Dart and program routines importConfig() via URI handler.
This issue affects RustDesk Client: through 1.4.5.
{
"affected": [],
"aliases": [
"CVE-2026-30797"
],
"database_specific": {
"cwe_ids": [
"CWE-749"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-05T16:16:21Z",
"severity": "CRITICAL"
},
"details": "Missing Authorization vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android (Flutter URI scheme handler, config import modules) allows Application API Message Manipulation via Man-in-the-Middle. This vulnerability is associated with program files flutter/lib/common.Dart and program routines importConfig() via URI handler.\n\nThis issue affects RustDesk Client: through 1.4.5.",
"id": "GHSA-9h94-q24v-4v27",
"modified": "2026-03-25T18:31:37Z",
"published": "2026-03-05T18:31:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30797"
},
{
"type": "WEB",
"url": "https://docs.google.com/document/d/e/2PACX-1vSds6jjpd38oO_yIAyd1HYtKNUuea-I-ozAPpGhYI7QgAU-QGJ7D8a4rOZVj1vmiUXV1EcdRHf9aZAW/pub"
},
{
"type": "WEB",
"url": "https://rustdesk.com/docs/en/client"
},
{
"type": "WEB",
"url": "https://www.vulsec.org"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-9HFW-W3F4-C4P8
Vulnerability from github – Published: 2026-06-04 06:30 – Updated: 2026-07-14 19:45OpenStack Mistral through 22.0.0 allows Arbitrary Remote Code Execution when the API is exposed. There are endpoints that allow code execution, which can lead to exfiltration of service credentials.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "mistral"
},
"ranges": [
{
"events": [
{
"introduced": "20.0.0"
},
{
"fixed": "20.1.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "mistral"
},
"versions": [
"21.0.0"
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "mistral"
},
"versions": [
"22.0.0"
]
}
],
"aliases": [
"CVE-2026-41283"
],
"database_specific": {
"cwe_ids": [
"CWE-749",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-14T19:45:28Z",
"nvd_published_at": "2026-06-04T04:17:12Z",
"severity": "CRITICAL"
},
"details": "OpenStack Mistral through 22.0.0 allows Arbitrary Remote Code Execution when the API is exposed. There are endpoints that allow code execution, which can lead to exfiltration of service credentials.",
"id": "GHSA-9hfw-w3f4-c4p8",
"modified": "2026-07-14T19:45:28Z",
"published": "2026-06-04T06:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41283"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-41283"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2484607"
},
{
"type": "PACKAGE",
"url": "https://github.com/openstack/mistral"
},
{
"type": "WEB",
"url": "https://github.com/openstack/mistral/tags"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-41283.json"
},
{
"type": "WEB",
"url": "https://security.openstack.org/ossa/OSSA-2026-020.html"
},
{
"type": "WEB",
"url": "https://www.openwall.com/lists/oss-security/2026/06/03/14"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/06/03/14"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "OpenStack Mistral allows Arbitrary Remote Code Execution when the API is exposed"
}
GHSA-9J4F-F249-Q5W8
Vulnerability from github – Published: 2024-09-06 21:37 – Updated: 2024-11-18 16:27Impact
Users running the Synthetic Monitoring agent in their local network are impacted. The authentication token used to communicate with the Synthetic Monitoring API is exposed thru a debugging endpoint. This token can be used to retrieve the Synthetic Monitoring checks created by the user and assigned to the agent identified with that token. The Synthetic Monitoring API will reject connections from already-connected agents, so access to the token does not guarantee access to the checks.
Patches
Fixed version is v0.12.0
Users are advised to rotate the agent tokens.
After upgrading to version v0.12.0 or later, it's recommended that user's of distribution packages (e.g. Debian or RedHat and their derivatives) review the configuration stored in /etc/synthetic-monitoring/synthetic-monitoring-agent.conf, specifically the API_TOKEN variable which has been renamed to SM_AGENT_API_TOKEN.
Workarounds
With all previous versions, it's recommended that users review the agent settings and set the HTTP listening address in a manner that limits the exposure, for example, localhost or a non-routed network, by using the command line parameter -listen-address, e.g. -listen-address localhost:4050.
References
The following changes have been made to address this issue:
- Disable debug endpoint by default
- Allow retrieving the token from the environment
- Default to listening on localhost
For more information
If you have any questions or comments about this advisory: * You can use the Synthetic Monitoring Agent discussions. * Issues should be reported in the Synthetic Monitoring Agent issues. * Email us at security@grafana.com.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/grafana/synthetic-monitoring-agent/cmd/synthetic-monitoring-agent"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.12.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/grafana/synthetic-monitoring-agent"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.12.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-46156"
],
"database_specific": {
"cwe_ids": [
"CWE-489",
"CWE-749"
],
"github_reviewed": true,
"github_reviewed_at": "2024-09-06T21:37:02Z",
"nvd_published_at": "2022-11-30T22:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nUsers running the Synthetic Monitoring agent in their local network are impacted. The authentication token used to communicate with the Synthetic Monitoring API is exposed thru a debugging endpoint. This token can be used to retrieve the Synthetic Monitoring checks created by the user and assigned to the agent identified with that token. The Synthetic Monitoring API will reject connections from already-connected agents, so access to the token does not guarantee access to the checks.\n\n### Patches\n\nFixed version is v0.12.0\n\nUsers are advised to rotate the agent tokens.\n\nAfter upgrading to version v0.12.0 or later, it\u0027s recommended that user\u0027s of distribution packages (e.g. Debian or RedHat and their derivatives) review the configuration stored in `/etc/synthetic-monitoring/synthetic-monitoring-agent.conf`, specifically the `API_TOKEN` variable which has been renamed to `SM_AGENT_API_TOKEN`.\n\n### Workarounds\n\nWith all previous versions, it\u0027s recommended that users review the agent settings and set the HTTP listening address in a manner that limits the exposure, for example, localhost or a non-routed network, by using the command line parameter `-listen-address`, e.g. `-listen-address localhost:4050`.\n\n### References\n\nThe following changes have been made to address this issue:\n\n- [Disable debug endpoint by default](https://github.com/grafana/synthetic-monitoring-agent/pull/373)\n- [Allow retrieving the token from the environment](https://github.com/grafana/synthetic-monitoring-agent/pull/374)\n- [Default to listening on localhost](https://github.com/grafana/synthetic-monitoring-agent/pull/375)\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* You can use the [Synthetic Monitoring Agent discussions](https://github.com/grafana/synthetic-monitoring-agent/discussions).\n* Issues should be reported in the [Synthetic Monitoring Agent issues](https://github.com/grafana/synthetic-monitoring-agent/issues).\n* Email us at [security@grafana.com](mailto:security@grafana.com).\n",
"id": "GHSA-9j4f-f249-q5w8",
"modified": "2024-11-18T16:27:10Z",
"published": "2024-09-06T21:37:02Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/grafana/synthetic-monitoring-agent/security/advisories/GHSA-9j4f-f249-q5w8"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46156"
},
{
"type": "WEB",
"url": "https://github.com/grafana/synthetic-monitoring-agent/pull/373"
},
{
"type": "WEB",
"url": "https://github.com/grafana/synthetic-monitoring-agent/pull/374"
},
{
"type": "WEB",
"url": "https://github.com/grafana/synthetic-monitoring-agent/pull/375"
},
{
"type": "WEB",
"url": "https://github.com/grafana/synthetic-monitoring-agent/commit/d8dc7f9c1c641881cbcf0a09e178b90ebf0f0228"
},
{
"type": "PACKAGE",
"url": "https://github.com/grafana/synthetic-monitoring-agent"
},
{
"type": "WEB",
"url": "https://github.com/grafana/synthetic-monitoring-agent/releases/tag/v0.12.0"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2022-1132"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Default installation of `synthetic-monitoring-agent` exposes sensitive information"
}
Mitigation
If you must expose a method, make sure to perform input validation on all arguments, limit access to authorized parties, and protect against all possible vulnerabilities.
Mitigation
Strategy: Attack Surface Reduction
- Identify all exposed functionality. Explicitly list all functionality that must be exposed to some user or set of users. Identify which functionality may be:
- Ensure that the implemented code follows these expectations. This includes setting the appropriate access modifiers where applicable (public, private, protected, etc.) or not marking ActiveX controls safe-for-scripting.
- accessible to all users
- restricted to a small set of privileged users
- prevented from being directly accessible at all
CAPEC-500: WebView Injection
An adversary, through a previously installed malicious application, injects code into the context of a web page displayed by a WebView component. Through the injected code, an adversary is able to manipulate the DOM tree and cookies of the page, expose sensitive information, and can launch attacks against the web application from within the web page.