CVE-2024-41962
Bostr Improper Authorization vulnerability
4.6
MEDIUM
CVSS 3.1
EPSS 0.21%
Description
Even with `authorized_keys` is filled with allowed pubkeys, If `noscraper` is enabled, It will allow anyone to use bouncer even it's pubkey is not in `authorized_keys`. ### Impact - Private bouncer ### Patches Available on version [3.0.10](https://github.com/Yonle/bostr/releases/tag/3.0.10) ### Workarounds Disable `noscraper` if you have `authorized_keys` being set in config ### References This [line of code](https://github.com/Yonle/bostr/blob/8665374a66e2afb9f92d0414b0d6f420a95d5d2d/auth.js#L21) is the cause.
How to fix CVE-2024-41962
To remediate CVE-2024-41962, upgrade the affected package to a fixed version below.
- —upgrade to 3.0.10 or later
Is CVE-2024-41962 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 3.0.10
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM4.6 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L |