Plateforme
docker
Composant
webhood
Corrigé dans
0.9.2
CVE-2024-31218 is a critical vulnerability affecting Webhood, a self-hosted URL scanner, specifically versions 0.9.0 and earlier. This vulnerability allows an unauthenticated attacker to create an administrator account within the underlying Pocketbase database, granting them complete control over the system. The vulnerability stems from a lack of authentication checks when creating admin accounts in the Pocketbase API, and a fix is available in version 0.9.1.
The impact of CVE-2024-31218 is severe. Successful exploitation allows an attacker to gain full administrative access to the Webhood instance and its associated Pocketbase database. This includes the ability to modify, delete, and exfiltrate data scanned by Webhood, as well as potentially compromise the underlying infrastructure. Given Webhood's purpose of analyzing potentially malicious URLs, an attacker could leverage this access to inject malicious URLs into the system, effectively turning it into a phishing distribution platform. The lack of authentication makes this vulnerability particularly concerning, as no prior interaction with the system is required for exploitation.
CVE-2024-31218 was publicly disclosed on April 5, 2024. While no active exploitation campaigns have been publicly confirmed, the ease of exploitation and the critical severity of the vulnerability suggest a high probability of exploitation. The vulnerability is not currently listed on CISA KEV. Public proof-of-concept exploits are likely to emerge given the simplicity of the attack vector.
Organizations utilizing Webhood for URL scanning, particularly those deploying it in self-hosted environments, are at significant risk. Shared hosting environments where Webhood is installed alongside other applications are especially vulnerable, as an attacker could potentially compromise the entire hosting account.
• docker: Inspect running containers for Webhood versions prior to 0.9.1. Use docker ps to identify containers and docker exec -it <container_id> sh to access the container's shell. Then, check the version using webhood --version.
• generic web: Monitor access logs for requests to /api/admin/users without authentication headers. Look for POST requests to this endpoint originating from unusual IP addresses.
• generic web: Monitor Pocketbase database logs for new admin user creation events. These logs typically contain timestamps and user details.
disclosure
Statut de l'Exploit
EPSS
0.29% (percentile 52%)
Vecteur CVSS
The primary mitigation for CVE-2024-31218 is to immediately upgrade Webhood to version 0.9.1 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests to the /api/admin/users endpoint, specifically those originating from unauthenticated sources. Monitor Pocketbase database logs for suspicious activity, particularly account creation attempts. Review Webhood's deployment configuration to ensure that no default admin accounts are present and that appropriate security measures are in place. After upgrading, confirm the fix by attempting to access the Pocketbase admin API without authentication; access should be denied.
Mettez à jour Webhood à la version 0.9.1 ou supérieure. Alternativement, vous pouvez bloquer l'accès au chemin `/api/admins` dans la configuration de votre serveur web pour atténuer la vulnérabilité si vous ne pouvez pas mettre à jour immédiatement. Cela empêchera la création non autorisée de comptes administrateur.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2024-31218 is a critical vulnerability in Webhood versions ≤ 0.9.1 that allows unauthenticated attackers to create admin accounts in the Pocketbase database, granting full control.
Yes, if you are running Webhood version 0.9.0 or earlier, you are affected by this vulnerability. Upgrade to version 0.9.1 immediately.
The recommended fix is to upgrade Webhood to version 0.9.1 or later. As a temporary workaround, implement a WAF rule to block unauthorized access to the Pocketbase admin API.
While no active exploitation campaigns have been publicly confirmed, the vulnerability's severity and ease of exploitation suggest a high probability of exploitation.
Refer to the Webhood GitHub repository for the latest security advisories and updates: [https://github.com/Webhoodio/Webhood](https://github.com/Webhoodio/Webhood)
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier Dockerfile et nous te dirons instantanément si tu es affecté.