CVE-2020-15391 — DevSpace vulnerable to remote code execution

Description

The UI in DevSpace 4.13.0 allows web sites to execute actions on pods (on behalf of a victim) because of a lack of authentication for the WebSocket protocol. This leads to remote code execution.

How to fix CVE-2020-15391

To remediate CVE-2020-15391, upgrade the affected package to a fixed version below.

Go/github.com/loft-sh/devspace—upgrade to 4.14.0 or later

Is CVE-2020-15391 being exploited?

Low — EPSS is 2.4%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 4.14.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-15391
PATCHgithub.com/devspace-sh/devspace
WEBgithub.com/devspace-cloud/devspace/releases/tag/v4.14.0
WEBgithub.com/devspace-sh/devspace/issues/1128