Описание
Micronaut management endpoints vulnerable to drive-by localhost attack
Summary
Enabled but unsecured management endpoints are susceptible to drive-by localhost attacks. While not typical of a production application, these attacks may have more impact on a development environment where such endpoints may be flipped on without much thought.
Details
A malicious/compromised website can make HTTP requests to localhost. Normally, such requests would trigger a CORS preflight check which would prevent the request; however, some requests are "simple" and do not require a preflight check. These endpoints, if enabled and not secured, are vulnerable to being triggered.
Impact
Production environments typically disable unused endpoints and secure/restrict access to needed endpoints. A more likely victim is the developer in their local development host, who has enabled endpoints without security for the sake of easing development.
Ссылки
- https://github.com/micronaut-projects/micronaut-core/security/advisories/GHSA-583g-g682-crxf
- https://nvd.nist.gov/vuln/detail/CVE-2024-23639
- https://github.com/micronaut-projects/micronaut-core/pull/8642
- https://github.com/micronaut-projects/micronaut-core/commit/01adb21e57137caaf7004313d2055c5a78b1f47b
- https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests
Пакеты
io.micronaut:micronaut-http-server
< 3.8.3
3.8.3
io.micronaut:micronaut-http-server-netty
< 3.8.3
3.8.3
io.micronaut:micronaut-http-server-tck
< 3.8.3
3.8.3
Связанные уязвимости
Micronaut Framework is a modern, JVM-based, full stack Java framework designed for building modular, easily testable JVM applications with support for Java, Kotlin and the Groovy language. Enabled but unsecured management endpoints are susceptible to drive-by localhost attacks. While not typical of a production application, these attacks may have more impact on a development environment where such endpoints may be flipped on without much thought. A malicious/compromised website can make HTTP requests to `localhost`. Normally, such requests would trigger a CORS preflight check which would prevent the request; however, some requests are "simple" and do not require a preflight check. These endpoints, if enabled and not secured, are vulnerable to being triggered. Production environments typically disable unused endpoints and secure/restrict access to needed endpoints. A more likely victim is the developer in their local development host, who has enabled endpoints without security for the s