漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
Ocelot - IP Allow/Block List Bypass for WebSocket Upgrade Requests
Vulnerability Description
Ocelot through 24.1.0, fixed in commit f156fd4, contains a security control bypass vulnerability that allows denied clients to circumvent IP-based access restrictions by sending WebSocket upgrade requests. The WebSocket upgrade pipeline branch configured via MapWhen in OcelotPipelineExtensions.cs omits SecurityMiddleware, causing requests from blocked IP addresses to be proxied to downstream services without enforcement of the configured allow/block list.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Vulnerability Type
使用候选路径或通道进行的认证绕过
Vulnerability Title
Three Mammals Ocelot 授权问题漏洞
Vulnerability Description
Three Mammals Ocelot是Three Mammals组织的一款用于实现API网关、请求路由、身份认证与服务聚合的.NET网关框架。 Three Mammals Ocelot 24.1.0及之前版本存在授权问题漏洞,该漏洞源于WebSocket升级管道分支忽略了SecurityMiddleware,导致已拒绝的客户端通过发送WebSocket升级请求绕过基于IP的访问限制,将请求代理到下游服务而未执行配置的允许/阻止列表。
CVSS Information
N/A
Vulnerability Type
N/A