Plateforme
go
Composant
github.com/firebase/firebase-tools
Corrigé dans
13.6.1
13.6.0
CVE-2024-4128 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the Firebase Tools emulator suite, a component of the broader Firebase development platform. This vulnerability allows an attacker to potentially trigger unintended actions within the emulator environment if a user is authenticated and visits a malicious website. The vulnerability impacts versions of Firebase Tools prior to 13.6.0, and a patch is available in version 13.6.0.
The primary impact of this CSRF vulnerability lies within the Firebase Tools emulator suite. An attacker could craft a malicious website or link that, when visited by an authenticated user, would send unauthorized requests to the emulator. This could lead to unintended data modification, configuration changes, or other actions within the emulated Firebase environment. While the emulator itself doesn't directly impact production systems, it could compromise development workflows, testing environments, and potentially expose sensitive data used during development. The blast radius is limited to the emulator environment, but the potential for disruption and data exposure warrants prompt remediation.
As of the publication date (2024-06-05), there is no public evidence of CVE-2024-4128 being actively exploited in the wild. The vulnerability is not currently listed on KEV (Known Exploited Vulnerabilities) or EPSS (Emergency Patch Status System). Given the low CVSS score and the limited scope of the emulator environment, the probability of exploitation is considered low. However, it's crucial to apply the patch promptly to prevent potential future exploitation.
Statut de l'Exploit
EPSS
0.07% (percentile 21%)
CISA SSVC
Vecteur CVSS
The recommended mitigation for CVE-2024-4128 is to immediately upgrade to Firebase Tools version 13.6.0 or later. This version includes a fix that prevents the CSRF vulnerability. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing stricter authentication controls within the emulator environment. While not a direct fix, requiring multi-factor authentication (MFA) for emulator access can significantly reduce the risk of exploitation. Additionally, review any custom scripts or configurations used with the emulator to ensure they do not inadvertently expose sensitive data or functionality. After upgrading, confirm the fix by attempting to trigger a CSRF request against the emulator and verifying that it is blocked.
Mettez à jour firebase-tools à une version ultérieure à la 13.6.0. Vous pouvez le faire en exécutant `npm install -g firebase-tools@latest` ou `yarn global add firebase-tools@latest`. Cela corrige la vulnérabilité CSRF qui permet l'exfiltration de données de l'émulateur.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2024-4128 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the Firebase Tools emulator suite, allowing attackers to trigger unintended actions within the emulator environment if a user is authenticated.
You are affected if you are using a version of Firebase Tools prior to 13.6.0. Check your version using firebase --version.
Upgrade to Firebase Tools version 13.6.0 or later. This version includes the necessary fix to prevent the CSRF vulnerability.
As of the publication date, there is no public evidence of CVE-2024-4128 being actively exploited in the wild.
Refer to the official Firebase release notes and security advisories on the Firebase website for details: https://firebase.google.com/docs/release-notes
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier go.mod et nous te dirons instantanément si tu es affecté.