CVE-2023-7080 – Arbitrary remote code execution within wrangler dev Workers sandbox
https://notcve.org/view.php?id=CVE-2023-7080
The V8 inspector intentionally allows arbitrary code execution within the Workers sandbox for debugging. wrangler dev would previously start an inspector server listening on all network interfaces. This would allow an attacker on the local network to connect to the inspector and run arbitrary code. Additionally, the inspector server did not validate Origin/Host headers, granting an attacker that can trick any user on the local network into opening a malicious website the ability to run code. If wrangler dev --remote was being used, an attacker could access production resources if they were bound to the worker. This issue was fixed in wrangler@3.19.0 and wrangler@2.20.2. Whilst wrangler dev's inspector server listens on local interfaces by default as of wrangler@3.16.0, an SSRF vulnerability in miniflare https://github.com/cloudflare/workers-sdk/security/advisories/GHSA-fwvg-2739-22v7 (CVE-2023-7078) allowed access from the local network until wrangler@3.18.0. wrangler@3.19.0 and wrangler@2.20.2 introduced validation for the Origin/Host headers. • https://github.com/cloudflare/workers-sdk/issues/4430 https://github.com/cloudflare/workers-sdk/pull/4437 https://github.com/cloudflare/workers-sdk/pull/4535 https://github.com/cloudflare/workers-sdk/pull/4550 https://github.com/cloudflare/workers-sdk/security/advisories/GHSA-f8mp-x433-5wpf • CWE-269: Improper Privilege Management •
CVE-2023-7079 – Arbitrary remote file read in Wrangler dev server
https://notcve.org/view.php?id=CVE-2023-7079
Sending specially crafted HTTP requests and inspector messages to Wrangler's dev server could result in any file on the user's computer being accessible over the local network. An attacker that could trick any user on the local network into opening a malicious website could also read any file. El envío de solicitudes HTTP especialmente manipuladas y mensajes de inspector al Wrangler's dev server podría hacer que se pueda acceder a cualquier archivo en el equipo del usuario a través de la red local. Un atacante que pudiera engañar a cualquier usuario de la red local para que abra un sitio web malicioso también podría leer cualquier archivo. • https://github.com/cloudflare/workers-sdk/pull/4532 https://github.com/cloudflare/workers-sdk/pull/4535 https://github.com/cloudflare/workers-sdk/security/advisories/GHSA-cfph-4qqh-w828 • CWE-287: Improper Authentication •
CVE-2023-7078 – Server-Side Request Forgery (SSRF) in Miniflare
https://notcve.org/view.php?id=CVE-2023-7078
Sending specially crafted HTTP requests to Miniflare's server could result in arbitrary HTTP and WebSocket requests being sent from the server. If Miniflare was configured to listen on external network interfaces (as was the default in wrangler until 3.19.0), an attacker on the local network could access other local servers. El envío de solicitudes HTTP especialmente manipuladas al Miniflare's server podría dar como resultado el envío de solicitudes HTTP y WebSocket arbitrarias desde el servidor. Si Miniflare estaba configurado para escuchar en interfaces de red externas (como era el valor predeterminado en Wrangler hasta 3.19.0), un atacante en la red local podría acceder a otros servidores locales. • https://github.com/cloudflare/workers-sdk/pull/4532 https://github.com/cloudflare/workers-sdk/security/advisories/GHSA-fwvg-2739-22v7 • CWE-918: Server-Side Request Forgery (SSRF) •
CVE-2023-6193 – Unbounded queuing of path validation messages in cloudflare-quiche
https://notcve.org/view.php?id=CVE-2023-6193
quiche v. 0.15.0 through 0.19.0 was discovered to be vulnerable to unbounded queuing of path validation messages, which could lead to excessive resource consumption. QUIC path validation (RFC 9000 Section 8.2) requires that the recipient of a PATH_CHALLENGE frame responds by sending a PATH_RESPONSE. An unauthenticated remote attacker can exploit the vulnerability by sending PATH_CHALLENGE frames and manipulating the connection (e.g. by restricting the peer's congestion window size) so that PATH_RESPONSE frames can only be sent at the slower rate than they are received; leading to storage of path validation data in an unbounded queue. Quiche versions greater than 0.19.0 address this problem. Se descubrió que quiche v. 0.15.0 a 0.19.0 era vulnerable a colas ilimitadas de mensajes de validación de ruta, lo que podría provocar un consumo excesivo de recursos. La validación de ruta QUIC (RFC 9000 Sección 8.2) requiere que el destinatario de una trama PATH_CHALLENGE responda enviando una PATH_RESPONSE. Un atacante remoto no autenticado puede explotar la vulnerabilidad enviando tramas PATH_CHALLENGE y manipulando la conexión (por ejemplo, restringiendo el tamaño de la ventana de congestión del par) de modo que las tramas PATH_RESPONSE sólo puedan enviarse a una velocidad más lenta de la que se reciben; lo que lleva al almacenamiento de datos de validación de ruta en una cola ilimitada. • https://datatracker.ietf.org/doc/html/rfc9000#section-8.2 https://github.com/cloudflare/quiche/security/advisories/GHSA-w3vp-jw9m-f9pm • CWE-400: Uncontrolled Resource Consumption •
CVE-2023-6180 – Resource exhaustion via memory leak in tokio-boring
https://notcve.org/view.php?id=CVE-2023-6180
The tokio-boring library in version 4.0.0 is affected by a memory leak issue that can lead to excessive resource consumption and potential DoS by resource exhaustion. The set_ex_data function used by the library did not deallocate memory used by pre-existing data in memory each time after completing a TLS connection causing the program to consume more resources with each new connection. La librería tokio-boring en la versión 4.0.0 se ve afectada por un problema de pérdida de memoria que puede provocar un consumo excesivo de recursos y una posible DoS por agotamiento de los recursos. La función set_ex_data utilizada por la librería no desasignó la memoria utilizada por los datos preexistentes en la memoria cada vez que se completó una conexión TLS, lo que provocó que el programa consumiera más recursos con cada nueva conexión. • https://github.com/cloudflare/boring/security/advisories/GHSA-pjrj-h4fg-6gm4 • CWE-400: Uncontrolled Resource Consumption CWE-401: Missing Release of Memory after Effective Lifetime CWE-404: Improper Resource Shutdown or Release •