漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
Incorrect Authorization in org.cometd.oort
Vulnerability Description
CometD is a scalable comet implementation for web messaging. In any version prior to 5.0.11, 6.0.6, and 7.0.6, internal usage of Oort and Seti channels is improperly authorized, so any remote user could subscribe and publish to those channels. By subscribing to those channels, a remote user may be able to watch cluster-internal traffic that contains other users' (possibly sensitive) data. By publishing to those channels, a remote user may be able to create/modify/delete other user's data and modify the cluster structure. A fix is available in versions 5.0.11, 6.0.6, and 7.0.6. As a workaround, install a custom `SecurityPolicy` that forbids subscription and publishing to remote, non-Oort, sessions on Oort and Seti channels.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Vulnerability Type
授权机制不正确
Vulnerability Title
CometD 安全漏洞
Vulnerability Description
CometD是CometD社区的一个可扩展的基于 WebSocket 和 HTTP 的事件和消息路由总线。 CometD 5.0.11、6.0.6 和 7.0.6 之前的任何版本中存在安全漏洞,该漏洞源于对 Oort 和 Seti 频道的内部使用都未得到适当授权,因此任何远程用户都可以订阅和发布这些频道。通过订阅这些频道,远程用户可能能够观看包含其他用户(可能是敏感的)数据的集群内部流量。通过发布到这些频道,远程用户可以创建/修改/删除其他用户的数据并修改集群结构。
CVSS Information
N/A
Vulnerability Type
N/A