Search criteria
2 vulnerabilities found for webhood by webhood-io
CVE-2024-31218 (GCVE-0-2024-31218)
Vulnerability from nvd – Published: 2024-04-05 14:45 – Updated: 2024-09-06 18:14
VLAI?
Title
Missing Authentication for Critical Function in Webhood backend
Summary
Webhood is a self-hosted URL scanner used analyzing phishing and malicious sites. Webhood's backend container images in versions 0.9.0 and earlier are subject to Missing Authentication for Critical Function vulnerability. This vulnerability allows an unauthenticated attacker to send a HTTP request to the database (Pocketbase) admin API to create an admin account. The Pocketbase admin API does not check for authentication/authorization when creating an admin account when no admin accounts have been added. In its default deployment, Webhood does not create a database admin account. Therefore, unless users have manually created an admin account in the database, an admin account will not exist in the deployment and the deployment is vulnerable. Versions starting from 0.9.1 are patched. The patch creates a randomly generated admin account if admin accounts have not already been created i.e. the vulnerability is exploitable in the deployment. As a workaround, users can disable access to URL path starting with `/api/admins` entirely. With this workaround, the vulnerability is not exploitable via network.
Severity ?
9.8 (Critical)
CWE
- CWE-306 - Missing Authentication for Critical Function
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| webhood-io | webhood |
Affected:
< 0.9.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:46:04.885Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/webhood-io/webhood/security/advisories/GHSA-h533-rxhm-73j2",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/webhood-io/webhood/security/advisories/GHSA-h533-rxhm-73j2"
},
{
"name": "https://github.com/webhood-io/webhood/commit/735e7fa2814edeec9a2c07778ed51b3c018609f9",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/webhood-io/webhood/commit/735e7fa2814edeec9a2c07778ed51b3c018609f9"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:webhoodio:webhood:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "webhood",
"vendor": "webhoodio",
"versions": [
{
"lessThan": "0.9.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-31218",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-07T17:41:26.026955Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-06T18:14:26.603Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "webhood",
"vendor": "webhood-io",
"versions": [
{
"status": "affected",
"version": "\u003c 0.9.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Webhood is a self-hosted URL scanner used analyzing phishing and malicious sites. Webhood\u0027s backend container images in versions 0.9.0 and earlier are subject to Missing Authentication for Critical Function vulnerability. This vulnerability allows an unauthenticated attacker to send a HTTP request to the database (Pocketbase) admin API to create an admin account. The Pocketbase admin API does not check for authentication/authorization when creating an admin account when no admin accounts have been added. In its default deployment, Webhood does not create a database admin account. Therefore, unless users have manually created an admin account in the database, an admin account will not exist in the deployment and the deployment is vulnerable. Versions starting from 0.9.1 are patched. The patch creates a randomly generated admin account if admin accounts have not already been created i.e. the vulnerability is exploitable in the deployment. As a workaround, users can disable access to URL path starting with `/api/admins` entirely. With this workaround, the vulnerability is not exploitable via network."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306: Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-05T14:45:31.347Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/webhood-io/webhood/security/advisories/GHSA-h533-rxhm-73j2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/webhood-io/webhood/security/advisories/GHSA-h533-rxhm-73j2"
},
{
"name": "https://github.com/webhood-io/webhood/commit/735e7fa2814edeec9a2c07778ed51b3c018609f9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/webhood-io/webhood/commit/735e7fa2814edeec9a2c07778ed51b3c018609f9"
}
],
"source": {
"advisory": "GHSA-h533-rxhm-73j2",
"discovery": "UNKNOWN"
},
"title": "Missing Authentication for Critical Function in Webhood backend"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-31218",
"datePublished": "2024-04-05T14:45:31.347Z",
"dateReserved": "2024-03-29T14:16:31.901Z",
"dateUpdated": "2024-09-06T18:14:26.603Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-31218 (GCVE-0-2024-31218)
Vulnerability from cvelistv5 – Published: 2024-04-05 14:45 – Updated: 2024-09-06 18:14
VLAI?
Title
Missing Authentication for Critical Function in Webhood backend
Summary
Webhood is a self-hosted URL scanner used analyzing phishing and malicious sites. Webhood's backend container images in versions 0.9.0 and earlier are subject to Missing Authentication for Critical Function vulnerability. This vulnerability allows an unauthenticated attacker to send a HTTP request to the database (Pocketbase) admin API to create an admin account. The Pocketbase admin API does not check for authentication/authorization when creating an admin account when no admin accounts have been added. In its default deployment, Webhood does not create a database admin account. Therefore, unless users have manually created an admin account in the database, an admin account will not exist in the deployment and the deployment is vulnerable. Versions starting from 0.9.1 are patched. The patch creates a randomly generated admin account if admin accounts have not already been created i.e. the vulnerability is exploitable in the deployment. As a workaround, users can disable access to URL path starting with `/api/admins` entirely. With this workaround, the vulnerability is not exploitable via network.
Severity ?
9.8 (Critical)
CWE
- CWE-306 - Missing Authentication for Critical Function
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| webhood-io | webhood |
Affected:
< 0.9.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:46:04.885Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/webhood-io/webhood/security/advisories/GHSA-h533-rxhm-73j2",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/webhood-io/webhood/security/advisories/GHSA-h533-rxhm-73j2"
},
{
"name": "https://github.com/webhood-io/webhood/commit/735e7fa2814edeec9a2c07778ed51b3c018609f9",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/webhood-io/webhood/commit/735e7fa2814edeec9a2c07778ed51b3c018609f9"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:webhoodio:webhood:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "webhood",
"vendor": "webhoodio",
"versions": [
{
"lessThan": "0.9.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-31218",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-07T17:41:26.026955Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-06T18:14:26.603Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "webhood",
"vendor": "webhood-io",
"versions": [
{
"status": "affected",
"version": "\u003c 0.9.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Webhood is a self-hosted URL scanner used analyzing phishing and malicious sites. Webhood\u0027s backend container images in versions 0.9.0 and earlier are subject to Missing Authentication for Critical Function vulnerability. This vulnerability allows an unauthenticated attacker to send a HTTP request to the database (Pocketbase) admin API to create an admin account. The Pocketbase admin API does not check for authentication/authorization when creating an admin account when no admin accounts have been added. In its default deployment, Webhood does not create a database admin account. Therefore, unless users have manually created an admin account in the database, an admin account will not exist in the deployment and the deployment is vulnerable. Versions starting from 0.9.1 are patched. The patch creates a randomly generated admin account if admin accounts have not already been created i.e. the vulnerability is exploitable in the deployment. As a workaround, users can disable access to URL path starting with `/api/admins` entirely. With this workaround, the vulnerability is not exploitable via network."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306: Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-05T14:45:31.347Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/webhood-io/webhood/security/advisories/GHSA-h533-rxhm-73j2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/webhood-io/webhood/security/advisories/GHSA-h533-rxhm-73j2"
},
{
"name": "https://github.com/webhood-io/webhood/commit/735e7fa2814edeec9a2c07778ed51b3c018609f9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/webhood-io/webhood/commit/735e7fa2814edeec9a2c07778ed51b3c018609f9"
}
],
"source": {
"advisory": "GHSA-h533-rxhm-73j2",
"discovery": "UNKNOWN"
},
"title": "Missing Authentication for Critical Function in Webhood backend"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-31218",
"datePublished": "2024-04-05T14:45:31.347Z",
"dateReserved": "2024-03-29T14:16:31.901Z",
"dateUpdated": "2024-09-06T18:14:26.603Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}