CVE-2023-31143
MEDIUM5.9EPSS 0.22%Mage-ai missing user authentication
Published: 5/5/2023Modified: 9/30/2024
Description
### Impact You may be impacted if you're using Mage with user authentication enabled. The terminal could be accessed by users who are not signed in or do not have editor permissions. ### Patches The vulnerability has been resolved in Mage version 0.8.72.
Affected packages (2)
- PyPI/mage-ai>= 0.8.34, < 0.8.72
- PyPI/mage-aifrom 0, < f63cd00f6a3be372397d37a4c9a49bfaf50d7650 | >= 0.8.34, < 0.8.72
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM5.9 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N |
References (5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-31143
- PATCHhttps://github.com/mage-ai/mage-ai
- WEBhttps://github.com/mage-ai/mage-ai/commit/f63cd00f6a3be372397d37a4c9a49bfaf50d7650
- WEBhttps://github.com/mage-ai/mage-ai/security/advisories/GHSA-c6mm-2g84-v4m7
- WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/mage-ai/PYSEC-2023-64.yaml