9.3
CVE-2023-26114
- EPSS 0.34%
- Veröffentlicht 23.03.2023 05:15:16
- Zuletzt bearbeitet 25.02.2025 20:15:32
- Quelle report@snyk.io
- CVE-Watchlists
- Unerledigt
LoginVersions of the package code-server before 4.10.1 are vulnerable to Missing Origin Validation in WebSockets handshakes. Exploiting this vulnerability can allow an adversary in specific scenarios to access data from and connect to the code-server instance.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Coder ≫ Code-server Version < 4.10.1
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.34% | 0.256 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 9.3 | 2.8 | 5.8 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 9.3 | 2.8 | 5.8 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
|
| report@snyk.io | 8.2 | 1.6 | 6 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:L
|
CWE-1385 Missing Origin Validation in WebSockets
The product uses a WebSocket, but it does not properly verify that the source of data or communication is valid.
CWE-346 Origin Validation Error
The product does not properly verify that the source of data or communication is valid.
https://github.com/coder/code-server/commit/d477972c68fc8c8e8d610aa7287db87ba90e55c7
https://github.com/coder/code-server/releases/tag/v4.10.1
https://security.snyk.io/vuln/SNYK-JS-CODESERVER-3368148