Описание
Bokeh is an interactive visualization library written in Python. In versions 3.8.1 and below, if a server is configured with an allowlist (e.g., dashboard.corp), an attacker can register a domain like dashboard.corp.attacker.com (or use a subdomain if applicable) and lure a victim to visit it. The malicious site can then initiate a WebSocket connection to the vulnerable Bokeh server. Since the Origin header (e.g., http://dashboard.corp.attacker.com/) matches the allowlist according to the flawed logic, the connection is accepted. Once connected, the attacker can interact with the Bokeh server on behalf of the victim, potentially accessing sensitive data, or modifying visualizations. This issue is fixed in version 3.8.2.
A flaw was found in Bokeh, an interactive visualization library. A remote attacker could exploit flawed origin validation logic in WebSocket connections, which are used for real-time communication between a web browser and a server. By luring a victim to a malicious website, the attacker could bypass the server's security checks, establish a connection, and interact with the Bokeh server on the victim's behalf. This could lead to unauthorized access to sensitive data or modification of visualizations.
Отчет
This vulnerability is rated Moderate for Red Hat OpenShift AI (RHOAI) as it affects Bokeh server applications with an allowlist configured. An attacker could exploit this by registering a malicious domain that appears to be a subdomain of an allowed origin, then luring a victim to visit it. This allows the attacker to initiate a WebSocket connection to the vulnerable Bokeh server, potentially accessing sensitive data or modifying visualizations on behalf of the victim.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat OpenShift AI (RHOAI) | rhoai/odh-workbench-jupyter-datascience-cpu-py312-rhel9 | Fix deferred | ||
| Red Hat OpenShift AI (RHOAI) | rhoai/odh-workbench-jupyter-pytorch-cuda-py312-rhel9 | Fix deferred | ||
| Red Hat OpenShift AI (RHOAI) | rhoai/odh-workbench-jupyter-pytorch-llmcompressor-cuda-py312-rhel9 | Fix deferred | ||
| Red Hat OpenShift AI (RHOAI) | rhoai/odh-workbench-jupyter-pytorch-rocm-py312-rhel9 | Fix deferred | ||
| Red Hat OpenShift AI (RHOAI) | rhoai/odh-workbench-jupyter-tensorflow-cuda-py312-rhel9 | Fix deferred | ||
| Red Hat OpenShift AI (RHOAI) | rhoai/odh-workbench-jupyter-tensorflow-rocm-py312-rhel9 | Fix deferred | ||
| Red Hat OpenShift AI (RHOAI) | rhoai/odh-workbench-jupyter-trustyai-cpu-py312-rhel9 | Fix deferred |
Показывать по
Дополнительная информация
Статус:
5.4 Medium
CVSS3
Связанные уязвимости
Bokeh is an interactive visualization library written in Python. In versions 3.8.1 and below, if a server is configured with an allowlist (e.g., dashboard.corp), an attacker can register a domain like dashboard.corp.attacker.com (or use a subdomain if applicable) and lure a victim to visit it. The malicious site can then initiate a WebSocket connection to the vulnerable Bokeh server. Since the Origin header (e.g., http://dashboard.corp.attacker.com/) matches the allowlist according to the flawed logic, the connection is accepted. Once connected, the attacker can interact with the Bokeh server on behalf of the victim, potentially accessing sensitive data, or modifying visualizations. This issue is fixed in version 3.8.2.
Bokeh is an interactive visualization library written in Python. In ve ...
Bokeh server applications have Incomplete Origin Validation in WebSockets
5.4 Medium
CVSS3