CVE-2023-31143
MEDIUM5.9EPSS 0.22%Mage-ai missing user authentication
發布日:2023/5/5修改日:2024/9/30
描述
### Impact You may be impacted if you're using Mage with user authentication enabled. The terminal could be accessed by users who are not signed in or do not have editor permissions. ### Patches The vulnerability has been resolved in Mage version 0.8.72.
受影響套件(2)
- PyPI/mage-ai>= 0.8.34, < 0.8.72
- PyPI/mage-aifrom 0, < f63cd00f6a3be372397d37a4c9a49bfaf50d7650 | >= 0.8.34, < 0.8.72
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM5.9 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N |
參考連結(5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-31143
- PATCHhttps://github.com/mage-ai/mage-ai
- WEBhttps://github.com/mage-ai/mage-ai/commit/f63cd00f6a3be372397d37a4c9a49bfaf50d7650
- WEBhttps://github.com/mage-ai/mage-ai/security/advisories/GHSA-c6mm-2g84-v4m7
- WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/mage-ai/PYSEC-2023-64.yaml