修正版
12.2.3
CVE-2020-15149 is a critical privilege escalation vulnerability affecting NodeBB forum software. An attacker can exploit this flaw to change the password of any user on a running NodeBB instance by sending a specially crafted socket.io call. This vulnerability impacts versions 1.12.2–>=12.2.2, and less than 1.14.3. A fix is available in version 1.14.3, and a temporary workaround involves cherry-picking a specific commit.
The impact of CVE-2020-15149 is severe. Successful exploitation allows an attacker to take over any user account on the NodeBB forum. This can lead to unauthorized access to sensitive information, modification of forum content, and potentially compromise of the underlying server if the compromised account has administrative privileges. The vulnerability stems from insufficient validation of user input within the password change functionality, specifically within the socket.io communication channel. An attacker can craft a malicious socket.io message to bypass these checks and force a password reset for any user, effectively gaining complete control over their account.
CVE-2020-15149 was publicly disclosed on August 19, 2020. While no active exploitation campaigns have been definitively confirmed, the vulnerability's critical severity and relatively straightforward exploitation path make it a potential target. No public proof-of-concept exploits were immediately available, but the vulnerability's nature suggests that such exploits could be developed and deployed. It is not currently listed on CISA KEV.
Organizations running NodeBB forums, particularly those using older, unpatched versions (1.12.2–>=12.2.2, < 1.14.3), are at significant risk. Shared hosting environments where multiple NodeBB instances are hosted on the same server are also particularly vulnerable, as a compromise of one instance could potentially lead to lateral movement and compromise of other instances.
• nodejs / server: Monitor NodeBB server logs for unusual socket.io activity, specifically requests related to password changes. Look for patterns indicative of crafted messages.
journalctl -u nodebb -f | grep 'password reset'• generic web: Use curl to test the password reset endpoint with potentially malicious input. Check for unexpected responses or errors that might indicate successful bypass.
curl -X POST -d '...' <nodebb_url>/api/v1/user/reset-passworddisclosure
エクスプロイト状況
EPSS
0.40% (61% パーセンタイル)
CVSS ベクトル
The primary mitigation for CVE-2020-15149 is to upgrade NodeBB to version 1.14.3 or later. This version includes a fix for the underlying validation issue. If upgrading is not immediately feasible, a temporary workaround is available: cherry-picking the commit 16cee1b03ba3eee177834a1fdac4aa8a12b39d2a from the NodeBB repository into your existing installation. This commit addresses the flawed validation logic. After applying the cherry-pick or upgrading, verify the fix by attempting to trigger the password change functionality with a crafted socket.io call – it should now be rejected.
Actualice NodeBB a la versión 1.14.3 o superior. Como alternativa, aplique el parche del commit 16cee1b03ba3eee177834a1fdac4aa8a12b39d2a manualmente.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2020-15149 is a critical vulnerability in NodeBB allowing attackers to change any user's password via crafted socket.io calls, leading to account takeover.
You are affected if you are running NodeBB versions 1.12.2–>=12.2.2, and less than 1.14.3. Check your version and upgrade immediately.
Upgrade NodeBB to version 1.14.3 or later. As a temporary workaround, cherry-pick commit 16cee1b03ba3eee177834a1fdac4aa8a12b39d2a.
While no confirmed active exploitation campaigns are known, the vulnerability's severity and ease of exploitation make it a potential target.
Refer to the NodeBB security advisory for detailed information and updates: https://github.com/nodebb/nodebb/security/advisories/GHSA-5g8m-693c-4w6x