GHSA-7RQ6-7GV8-C37H

Vulnerability from github – Published: 2021-11-03 17:30 – Updated: 2021-11-03 14:35
VLAI?
Summary
Missing Authorization with Default Settings in Dashboard UI
Details

Dashboard UI in Hangfire.Core uses authorization filters to protect it from showing sensitive data to unauthorized users. By default when no custom authorization filters specified, LocalRequestsOnlyAuthorizationFilter filter is being used to allow only local requests and prohibit all the remote requests to provide sensible, protected by default settings.

However due to the recent changes, in version 1.7.25 no authorization filters are used by default, allowing remote requests to succeed.

Impact

Missing authorization when default options are used for the Dashboard UI, e.g. when no custom authorization rules are used as recommended in the Using Dashboard documentation article.

Impacted

If you are using UseHangfireDashboard method with default DashboardOptions.Authorization property value, then your installation is impacted:

app.UseHangfireDashboard(); // Impacted
app.UseHangfireDashboard("/hangfire", new DashboardOptions()); // Impacted

Not Impacted

If any other authorization filter is specified in the DashboardOptions.Authorization property, the you are not impacted:

app.UseHangfireDashboard("/hangfire", new DashboardOptions
{
    Authorization = new []{ new SomeAuthorizationFilter(); } // Not impacted
});

Patches

Patch is already available in version 1.7.26 and already available on NuGet.org, please see Hangfire.Core 1.7.26. Default authorization rules now prohibit remote requests by default again by including the LocalRequestsOnlyAuthorizationFilter filter to the default settings. Please upgrade to the newest version in order to mitigate the issue.

Workarounds

It is possible to fix the issue by using the LocalRequestsOnlyAuthorizationFilter explicitly when configuring the Dashboard UI. In this case upgrade is not required.

// using Hangfire.Dashboard;

app.UseHangfireDashboard("/hangfire", new DashboardOptions
{
    Authorization = new []{ new LocalRequestsOnlyAuthorizationFilter(); }
});

References

Original GitHub Issue: https://github.com/HangfireIO/Hangfire/issues/1958

Severity ?
8.6 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Hangfire.Core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.7.25"
            },
            {
              "fixed": "1.7.26"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "1.7.25"
      ]
    }
  ],
  "aliases": [
    "CVE-2021-41238"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-11-02T19:50:00Z",
    "nvd_published_at": "2021-11-02T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "Dashboard UI in Hangfire.Core uses authorization filters to protect it from showing sensitive data to unauthorized users. By default when no custom authorization filters specified, `LocalRequestsOnlyAuthorizationFilter` filter is being used to allow only local requests and prohibit all the remote requests to provide sensible, protected by default settings.\n\nHowever due to the recent changes, in version 1.7.25 no authorization filters are used by default, allowing remote requests to succeed.\n\n### Impact\n\nMissing authorization when default options are used for the Dashboard UI, e.g. when no custom authorization rules are used as recommended in the [Using Dashboard](https://docs.hangfire.io/en/latest/configuration/using-dashboard.html#configuring-authorization) documentation article. \n\n#### Impacted\n\nIf you are using `UseHangfireDashboard` method with default `DashboardOptions.Authorization` property value, then your installation is impacted:\n\n```csharp\napp.UseHangfireDashboard(); // Impacted\napp.UseHangfireDashboard(\"/hangfire\", new DashboardOptions()); // Impacted\n```\n\n#### Not Impacted\n\nIf any other authorization filter is specified in the `DashboardOptions.Authorization` property, the you are not impacted:\n\n```csharp\napp.UseHangfireDashboard(\"/hangfire\", new DashboardOptions\n{\n    Authorization = new []{ new SomeAuthorizationFilter(); } // Not impacted\n});\n```\n\n### Patches\n\nPatch is already available in version [1.7.26](https://github.com/HangfireIO/Hangfire/releases/tag/v1.7.26) and already available on NuGet.org, please see [Hangfire.Core 1.7.26](https://www.nuget.org/packages/Hangfire.Core/1.7.26). Default authorization rules now prohibit remote requests by default again by including the `LocalRequestsOnlyAuthorizationFilter` filter to the default settings. Please upgrade to the newest version in order to mitigate the issue.\n\n### Workarounds\n\nIt is possible to fix the issue by using the `LocalRequestsOnlyAuthorizationFilter` explicitly when configuring the Dashboard UI. In this case upgrade is not required.\n\n```csharp\n// using Hangfire.Dashboard;\n\napp.UseHangfireDashboard(\"/hangfire\", new DashboardOptions\n{\n    Authorization = new []{ new LocalRequestsOnlyAuthorizationFilter(); }\n});\n```\n\n### References\n\nOriginal GitHub Issue: https://github.com/HangfireIO/Hangfire/issues/1958",
  "id": "GHSA-7rq6-7gv8-c37h",
  "modified": "2021-11-03T14:35:35Z",
  "published": "2021-11-03T17:30:59Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/HangfireIO/Hangfire/security/advisories/GHSA-7rq6-7gv8-c37h"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41238"
    },
    {
      "type": "WEB",
      "url": "https://github.com/HangfireIO/Hangfire/issues/1958"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/HangfireIO/Hangfire"
    },
    {
      "type": "WEB",
      "url": "https://www.nuget.org/packages/Hangfire.Core"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Missing Authorization with Default Settings in Dashboard UI"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.