平台
go
组件
github.com/firebase/firebase-tools
修复版本
13.6.1
13.6.0
CVE-2024-4128 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the Firebase Tools emulator suite, a component of the broader Firebase development platform. This vulnerability allows an attacker to potentially trigger unintended actions within the emulator environment if a user is authenticated and visits a malicious website. The vulnerability impacts versions of Firebase Tools prior to 13.6.0, and a patch is available in version 13.6.0.
The primary impact of this CSRF vulnerability lies within the Firebase Tools emulator suite. An attacker could craft a malicious website or link that, when visited by an authenticated user, would send unauthorized requests to the emulator. This could lead to unintended data modification, configuration changes, or other actions within the emulated Firebase environment. While the emulator itself doesn't directly impact production systems, it could compromise development workflows, testing environments, and potentially expose sensitive data used during development. The blast radius is limited to the emulator environment, but the potential for disruption and data exposure warrants prompt remediation.
As of the publication date (2024-06-05), there is no public evidence of CVE-2024-4128 being actively exploited in the wild. The vulnerability is not currently listed on KEV (Known Exploited Vulnerabilities) or EPSS (Emergency Patch Status System). Given the low CVSS score and the limited scope of the emulator environment, the probability of exploitation is considered low. However, it's crucial to apply the patch promptly to prevent potential future exploitation.
漏洞利用状态
EPSS
0.07% (21% 百分位)
CISA SSVC
CVSS 向量
The recommended mitigation for CVE-2024-4128 is to immediately upgrade to Firebase Tools version 13.6.0 or later. This version includes a fix that prevents the CSRF vulnerability. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing stricter authentication controls within the emulator environment. While not a direct fix, requiring multi-factor authentication (MFA) for emulator access can significantly reduce the risk of exploitation. Additionally, review any custom scripts or configurations used with the emulator to ensure they do not inadvertently expose sensitive data or functionality. After upgrading, confirm the fix by attempting to trigger a CSRF request against the emulator and verifying that it is blocked.
升级 firebase-tools 到 13.6.0 之后的版本。可以通过运行 `npm install -g firebase-tools@latest` 或 `yarn global add firebase-tools@latest` 来实现。这修复了允许模拟器数据泄露的 CSRF 漏洞。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2024-4128 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the Firebase Tools emulator suite, allowing attackers to trigger unintended actions within the emulator environment if a user is authenticated.
You are affected if you are using a version of Firebase Tools prior to 13.6.0. Check your version using firebase --version.
Upgrade to Firebase Tools version 13.6.0 or later. This version includes the necessary fix to prevent the CSRF vulnerability.
As of the publication date, there is no public evidence of CVE-2024-4128 being actively exploited in the wild.
Refer to the official Firebase release notes and security advisories on the Firebase website for details: https://firebase.google.com/docs/release-notes
上传你的 go.mod 文件,立即知道是否受影响。