漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
Coder's sub-agent app registration bypasses template port-sharing policy enforcement
Vulnerability Description
Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the `CreateSubAgent` RPC did not validate a requested app sharing level against the template's `MaxPortSharingLevel` before persisting workspace apps, letting a workspace owner exceed the administrator's configured maximum. Exploitation requires the ability to register sub-agent apps in a workspace the attacker controls. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2clamps the sub-agent app sharing level to the template's `MaxPortSharingLevel`. As a workaround, disable wildcard app hostnames (`CODER_WILDCARD_ACCESS_URL`) to block subdomain-based app routing.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Vulnerability Type
授权机制缺失
Vulnerability Title
Coder 授权问题漏洞
Vulnerability Description
Coder是Coder组织开源的一个可以在公共或私有云基础设施中设置开发环境的应用程序。 Coder存在授权问题漏洞,该漏洞源于`CreateSubAgent` RPC在持久化工作区apps之前未将请求的应用共享级别与模板的`MaxPortSharingLevel`进行验证,导致工作区所有者可以超过管理员配置的最大值。以下版本受到影响:2.29.17之前版本、2.32.7之前版本(自2.30.0起)、2.33.8之前版本(自2.33.0起)和2.34.2之前版本(自2.34.0起)。
CVSS Information
N/A
Vulnerability Type
N/A