CVE-2013-7379

Опубликовано: 16 мая 2014

Источник: nvd

CVSS2: 6.8

EPSS Низкий

Описание

The admin API in the tomato module before 0.0.6 for Node.js does not properly check the access key when it is set to a string, which allows remote attackers to bypass authentication via a string in the access-key header that partially matches config.master.api.access_key.

Ссылки

http://www.openwall.com/lists/oss-security/2014/05/13/1
http://www.openwall.com/lists/oss-security/2014/05/15/2
https://github.com/leizongmin/tomato/commit/9e427d524e04a905312a3294c85e939ed7d57b8c
Exploit
Patch
https://nodesecurity.io/advisories/Tomato_API_Admin_Auth_Weakness
Exploit
http://www.openwall.com/lists/oss-security/2014/05/13/1
http://www.openwall.com/lists/oss-security/2014/05/15/2
https://github.com/leizongmin/tomato/commit/9e427d524e04a905312a3294c85e939ed7d57b8c
Exploit
Patch
https://nodesecurity.io/advisories/Tomato_API_Admin_Auth_Weakness
Exploit

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:ucdok:tomato:*:*:*:*:*:node.js:*:*

Версия до 0.0.5 (включая)

EPSS

Процентиль: 58%

0.0036

Низкий

6.8 Medium

CVSS2

Дефекты

CWE-287

Связанные уязвимости

GHSA-9vxc-g2jx-qj3p

github

больше 5 лет назад

API Admin Auth Weakness in tomato