CVE-2022-31149

Опубликовано: 07 сент. 2022

Источник: nvd

CVSS3: 8.8

CVSS3: 9.6

EPSS Низкий

Описание

ActivityWatch open-source automated time tracker. Versions prior to 0.12.0b2 are vulnerable to DNS rebinding attacks. This vulnerability impacts everyone running ActivityWatch and gives the attacker full access to the ActivityWatch REST API. Users should upgrade to v0.12.0b2 or later to receive a patch. As a workaround, block DNS lookups that resolve to 127.0.0.1.

Ссылки

https://gist.github.com/zozs/fdebbce75fc8538c15851b46db944a16
Exploit
Third Party Advisory
https://github.com/ActivityWatch/activitywatch/discussions/778
Release Notes
Third Party Advisory
https://github.com/ActivityWatch/activitywatch/security/advisories/GHSA-v9fg-6g9j-h4x4
Third Party Advisory
https://gist.github.com/zozs/fdebbce75fc8538c15851b46db944a16
Exploit
Third Party Advisory
https://github.com/ActivityWatch/activitywatch/discussions/778
Release Notes
Third Party Advisory
https://github.com/ActivityWatch/activitywatch/security/advisories/GHSA-v9fg-6g9j-h4x4
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:activitywatch:activitywatch:*:*:*:*:*:*:*:*

Версия до 0.12.0 (исключая)

cpe:2.3:a:activitywatch:activitywatch:0.12.0:beta1:*:*:*:*:*:*

EPSS

Процентиль: 63%

0.00436

Низкий

8.8 High

CVSS3

9.6 Critical

CVSS3

Дефекты

CWE-290

Связанные уязвимости

CVE-2022-31149

CVSS3: 8.8

debian

больше 3 лет назад

ActivityWatch open-source automated time tracker. Versions prior to 0. ...

EPSS

Процентиль: 63%

0.00436

Низкий

8.8 High

CVSS3

9.6 Critical

CVSS3

Дефекты

CWE-290