Description
DevSpace's UI server WebSocket accepts connections from all origins by default, and therefore several endpoints are exposed via this WebSocket. When a developer runs the DevSpace UI and at the same time uses a browser to access the internet, a malicious website they visit can use their browser to establish a cross-origin WebSocket connection to ws://127.0.0.1:8090. This allows an attacker to access:
/api/logs to stream real-time pod logs/api/enter to open an interactive shell inside the running pod/api/command to execute pre-defined pipeline commands
Patches
Versions 6.3.21 and above are patched.
Resources
gorilla/websocket CheckOrigin documentation
Installation Options
Devspace is no longer publishing to NPM or Yarn, please continue to use our other installation methods to get updates in the future, including this patch.
Credit
Thanks to @b0b0haha for finding and reporting this vulnerability.
b0b0haha Finder
Description
DevSpace's UI server WebSocket accepts connections from all origins by default, and therefore several endpoints are exposed via this WebSocket. When a developer runs the DevSpace UI and at the same time uses a browser to access the internet, a malicious website they visit can use their browser to establish a cross-origin WebSocket connection to
ws://127.0.0.1:8090. This allows an attacker to access:/api/logsto stream real-time pod logs/api/enterto open an interactive shell inside the running pod/api/commandto execute pre-defined pipeline commandsPatches
Versions 6.3.21 and above are patched.
Resources
gorilla/websocket CheckOrigin documentation
Installation Options
Devspace is no longer publishing to NPM or Yarn, please continue to use our other installation methods to get updates in the future, including this patch.
Credit
Thanks to @b0b0haha for finding and reporting this vulnerability.