Platform
docker
Component
webhood
Opgelost in
0.9.2
CVE-2024-31218 is a critical vulnerability affecting Webhood, a self-hosted URL scanner, specifically versions 0.9.0 and earlier. This vulnerability allows an unauthenticated attacker to create an administrator account within the underlying Pocketbase database, granting them complete control over the system. The vulnerability stems from a lack of authentication checks when creating admin accounts in the Pocketbase API, and a fix is available in version 0.9.1.
The impact of CVE-2024-31218 is severe. Successful exploitation allows an attacker to gain full administrative access to the Webhood instance and its associated Pocketbase database. This includes the ability to modify, delete, and exfiltrate data scanned by Webhood, as well as potentially compromise the underlying infrastructure. Given Webhood's purpose of analyzing potentially malicious URLs, an attacker could leverage this access to inject malicious URLs into the system, effectively turning it into a phishing distribution platform. The lack of authentication makes this vulnerability particularly concerning, as no prior interaction with the system is required for exploitation.
CVE-2024-31218 was publicly disclosed on April 5, 2024. While no active exploitation campaigns have been publicly confirmed, the ease of exploitation and the critical severity of the vulnerability suggest a high probability of exploitation. The vulnerability is not currently listed on CISA KEV. Public proof-of-concept exploits are likely to emerge given the simplicity of the attack vector.
Organizations utilizing Webhood for URL scanning, particularly those deploying it in self-hosted environments, are at significant risk. Shared hosting environments where Webhood is installed alongside other applications are especially vulnerable, as an attacker could potentially compromise the entire hosting account.
• docker: Inspect running containers for Webhood versions prior to 0.9.1. Use docker ps to identify containers and docker exec -it <container_id> sh to access the container's shell. Then, check the version using webhood --version.
• generic web: Monitor access logs for requests to /api/admin/users without authentication headers. Look for POST requests to this endpoint originating from unusual IP addresses.
• generic web: Monitor Pocketbase database logs for new admin user creation events. These logs typically contain timestamps and user details.
disclosure
Exploit Status
EPSS
0.29% (52% percentiel)
CVSS-vector
The primary mitigation for CVE-2024-31218 is to immediately upgrade Webhood to version 0.9.1 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests to the /api/admin/users endpoint, specifically those originating from unauthenticated sources. Monitor Pocketbase database logs for suspicious activity, particularly account creation attempts. Review Webhood's deployment configuration to ensure that no default admin accounts are present and that appropriate security measures are in place. After upgrading, confirm the fix by attempting to access the Pocketbase admin API without authentication; access should be denied.
Werk Webhood bij naar versie 0.9.1 of hoger. Als alternatief kunt u de toegang tot het pad `/api/admins` blokkeren in uw webserverconfiguratie om de kwetsbaarheid te mitigeren als u niet onmiddellijk kunt updaten. Dit voorkomt de ongeautoriseerde aanmaak van admin accounts.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2024-31218 is a critical vulnerability in Webhood versions ≤ 0.9.1 that allows unauthenticated attackers to create admin accounts in the Pocketbase database, granting full control.
Yes, if you are running Webhood version 0.9.0 or earlier, you are affected by this vulnerability. Upgrade to version 0.9.1 immediately.
The recommended fix is to upgrade Webhood to version 0.9.1 or later. As a temporary workaround, implement a WAF rule to block unauthorized access to the Pocketbase admin API.
While no active exploitation campaigns have been publicly confirmed, the vulnerability's severity and ease of exploitation suggest a high probability of exploitation.
Refer to the Webhood GitHub repository for the latest security advisories and updates: [https://github.com/Webhoodio/Webhood](https://github.com/Webhoodio/Webhood)
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je Dockerfile-bestand en we vertellen je direct of je getroffen bent.