Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Tailscale daemon is vulnerable to information disclosure via CSRF
Vulnerability Description
A vulnerability identified in the Tailscale client allows a malicious website to access the peer API, which can then be used to access Tailscale environment variables. In the Tailscale client, the peer API was vulnerable to DNS rebinding. This allowed an attacker-controlled website visited by the node to rebind DNS for the peer API to an attacker-controlled DNS server, and then making peer API requests in the client, including accessing the node’s Tailscale environment variables. An attacker with access to the peer API on a node could use that access to read the node’s environment variables, including any credentials or secrets stored in environment variables. This may include Tailscale authentication keys, which could then be used to add new nodes to the user’s tailnet. The peer API access could also be used to learn of other nodes in the tailnet or send files via Taildrop. All Tailscale clients prior to version v1.32.3 are affected. Upgrade to v1.32.3 or later to remediate the issue.
CVSS Information
N/A
Vulnerability Type
跨站请求伪造(CSRF)
Vulnerability Title
Tailscale 跨站请求伪造漏洞
Vulnerability Description
Tailscale是Tailscale开源的一款基于 WireGuard 的应用程序。可为任何规模的团队提供安全的专用网络。 Tailscale v1.32.3之前版本存在跨站请求伪造漏洞,该漏洞源于允许恶意网站访问对等API。攻击者利用该漏洞使用该API访问Tailscal环境变量。
CVSS Information
N/A
Vulnerability Type
N/A