漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
Mockoon: Unauthenticated admin API + wildcard CORS allows mock-state hijack and secret theft
Vulnerability Description
Mockoon provides way to design and run mock APIs. Prior to 9.7.0, Mockoon's admin API in commons-server/src/libs/server/admin-api.ts is mounted on the same Express listener as user-defined mock routes, enabled by default in shipped runtimes, serves Access-Control-Allow-Origin: * with write methods allowed, and has no authentication. Any unauthenticated caller who can reach the mock server port can read MOCKOON_* environment variables, write arbitrary process environment variables through /mockoon-admin/env-vars, rewrite mock route bodies, statuses, and headers through PUT /mockoon-admin/environment, read transaction logs and SSE streams, and purge state. This issue is fixed in version 9.7.0.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Vulnerability Type
关键功能的认证机制缺失
Vulnerability Title
Mockoon 授权问题漏洞
Vulnerability Description
Mockoon是mockoon团队开源的一个接口软件。 Mockoon 9.7.0之前版本存在安全漏洞,该漏洞源于admin API缺少身份验证并启用写方法,可能导致未经验证的调用者读取MOCKOON_*环境变量、写入任意进程环境变量、重写mock路由主体、状态和标头、读取事务日志和SSE流以及清除状态。
CVSS Information
N/A
Vulnerability Type
N/A