CVE-2024-23639
Micronaut management endpoints vulnerable to drive-by localhost attack
描述
### Summary Enabled but unsecured management endpoints are susceptible to drive-by localhost attacks. While not typical of a production application, these attacks may have more impact on a development environment where such endpoints may be flipped on without much thought. ### Details A malicious/compromised website can make HTTP requests to `localhost`. Normally, such requests would trigger a CORS preflight check which would prevent the request; however, some requests are ["simple"](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests) and do not require a preflight check. These endpoints, if enabled and not secured, are vulnerable to being triggered. ### Impact Production environments typically disable unused endpoints and secure/restrict access to needed endpoints. A more likely victim is the developer in their local development host, who has enabled endpoints without security for the sake of easing development.
如何修補 CVE-2024-23639
要修補 CVE-2024-23639,請將受影響套件升級到下列已修補版本。
- —升級至 3.8.3 或更新版本
- —升級至 3.8.3 或更新版本
- —升級至 3.8.3 或更新版本
CVE-2024-23639 正在被利用嗎?
低 — EPSS 為 0.0%,目前沒有觀察到大規模利用活動。
受影響套件(3)
- from 0, < 3.8.3
- from 0, < 3.8.3
- from 0, < 3.8.3
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.1 | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L |