GHSA-7W54-GP8X-F33M

Vulnerability from github – Published: 2022-01-12 22:44 – Updated: 2023-07-24 19:32
VLAI
Summary
Potential exposure of tokens to an Unauthorized Actor
Details

Impact

When using this library as a way to programmatically communicate with Replit in a standalone fashion, if there are multiple failed attempts to contact Replit through a WebSocket, the library will attempt to communicate using a fallback poll-based proxy. The URL of the proxy has changed, so any communication done to the previous URL could potentially reach a server that is outside of Replit's control and the token used to connect to the Repl could be obtained by an attacker, leading to full compromise of that Repl (not of the account).

Patches

This was patched in 7.3.1, by updating the address of the fallback WebSocket polling proxy to the new one.

Workarounds

Specify the new address for the polling host (gp-v2.replit.com) in the ConnectArgs:

const connectOptions: ConnectArgs = {
  // ...
  pollingHost: 'gp-v2.replit.com',
};
client.connect(connectOptions);

For more information

Thanks to https://hackerone.com/orlserg for disclosing this.

If you have any questions or comments about this advisory: * Open an issue in replit/crosis * Email us at security@replit.com

Severity
6.5 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@replit/crosis"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-21671"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-01-10T23:18:10Z",
    "nvd_published_at": "2022-01-11T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nWhen using this library as a way to programmatically communicate with Replit in a standalone fashion, if there are multiple failed attempts to contact Replit through a WebSocket, the library will attempt to communicate using a fallback poll-based proxy. The URL of the proxy has changed, so any communication done to the previous URL could potentially reach a server that is outside of Replit\u0027s control and the token used to connect to the Repl could be obtained by an attacker, leading to full compromise of that Repl (not of the account).\n\n### Patches\n\nThis was patched in 7.3.1, by updating the address of the fallback WebSocket polling proxy to the new one.\n\n### Workarounds\n\nSpecify the new address for the polling host (`gp-v2.replit.com`) in the `ConnectArgs`:\n\n```typescript\nconst connectOptions: ConnectArgs = {\n  // ...\n  pollingHost: \u0027gp-v2.replit.com\u0027,\n};\nclient.connect(connectOptions);\n```\n\n### For more information\n\nThanks to https://hackerone.com/orlserg for disclosing this.\n\nIf you have any questions or comments about this advisory:\n* Open an issue in [replit/crosis](https://github.com/replit/crosis)\n* Email us at [security@replit.com](mailto:security@replit.com)",
  "id": "GHSA-7w54-gp8x-f33m",
  "modified": "2023-07-24T19:32:58Z",
  "published": "2022-01-12T22:44:47Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/replit/crosis/security/advisories/GHSA-7w54-gp8x-f33m"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21671"
    },
    {
      "type": "WEB",
      "url": "https://github.com/replit/crosis/commit/e44b6a8f5fa28cb2872e3c19bb8a205bb5bfc281"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/replit/crosis"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Potential exposure of tokens to an Unauthorized Actor"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.