Plataforma
docker
Componente
webhood
Corrigido em
0.9.2
CVE-2024-31218 is a critical vulnerability affecting Webhood, a self-hosted URL scanner, specifically versions 0.9.0 and earlier. This vulnerability allows an unauthenticated attacker to create an administrator account within the underlying Pocketbase database, granting them complete control over the system. The vulnerability stems from a lack of authentication checks when creating admin accounts in the Pocketbase API, and a fix is available in version 0.9.1.
The impact of CVE-2024-31218 is severe. Successful exploitation allows an attacker to gain full administrative access to the Webhood instance and its associated Pocketbase database. This includes the ability to modify, delete, and exfiltrate data scanned by Webhood, as well as potentially compromise the underlying infrastructure. Given Webhood's purpose of analyzing potentially malicious URLs, an attacker could leverage this access to inject malicious URLs into the system, effectively turning it into a phishing distribution platform. The lack of authentication makes this vulnerability particularly concerning, as no prior interaction with the system is required for exploitation.
CVE-2024-31218 was publicly disclosed on April 5, 2024. While no active exploitation campaigns have been publicly confirmed, the ease of exploitation and the critical severity of the vulnerability suggest a high probability of exploitation. The vulnerability is not currently listed on CISA KEV. Public proof-of-concept exploits are likely to emerge given the simplicity of the attack vector.
Organizations utilizing Webhood for URL scanning, particularly those deploying it in self-hosted environments, are at significant risk. Shared hosting environments where Webhood is installed alongside other applications are especially vulnerable, as an attacker could potentially compromise the entire hosting account.
• docker: Inspect running containers for Webhood versions prior to 0.9.1. Use docker ps to identify containers and docker exec -it <container_id> sh to access the container's shell. Then, check the version using webhood --version.
• generic web: Monitor access logs for requests to /api/admin/users without authentication headers. Look for POST requests to this endpoint originating from unusual IP addresses.
• generic web: Monitor Pocketbase database logs for new admin user creation events. These logs typically contain timestamps and user details.
disclosure
Status do Exploit
EPSS
0.29% (percentil 52%)
Vetor CVSS
The primary mitigation for CVE-2024-31218 is to immediately upgrade Webhood to version 0.9.1 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests to the /api/admin/users endpoint, specifically those originating from unauthenticated sources. Monitor Pocketbase database logs for suspicious activity, particularly account creation attempts. Review Webhood's deployment configuration to ensure that no default admin accounts are present and that appropriate security measures are in place. After upgrading, confirm the fix by attempting to access the Pocketbase admin API without authentication; access should be denied.
Atualize Webhood para a versão 0.9.1 ou superior. Alternativamente, você pode bloquear o acesso à rota `/api/admins` em sua configuração do servidor web para mitigar a vulnerabilidade se não puder atualizar imediatamente. Isso evitará a criação não autorizada de contas de administrador.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2024-31218 is a critical vulnerability in Webhood versions ≤ 0.9.1 that allows unauthenticated attackers to create admin accounts in the Pocketbase database, granting full control.
Yes, if you are running Webhood version 0.9.0 or earlier, you are affected by this vulnerability. Upgrade to version 0.9.1 immediately.
The recommended fix is to upgrade Webhood to version 0.9.1 or later. As a temporary workaround, implement a WAF rule to block unauthorized access to the Pocketbase admin API.
While no active exploitation campaigns have been publicly confirmed, the vulnerability's severity and ease of exploitation suggest a high probability of exploitation.
Refer to the Webhood GitHub repository for the latest security advisories and updates: [https://github.com/Webhoodio/Webhood](https://github.com/Webhoodio/Webhood)
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo Dockerfile e descubra na hora se você está afetado.