Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Hono is Vulnerable to Authentication Bypass by IP Spoofing in AWS Lambda ALB conninfo
Vulnerability Description
Hono is a Web application framework that provides support for any JavaScript runtime. In versions 4.12.0 and 4.12.1, when using the AWS Lambda adapter (`hono/aws-lambda`) behind an Application Load Balancer (ALB), the `getConnInfo()` function incorrectly selected the first value from the `X-Forwarded-For` header. Because AWS ALB appends the real client IP address to the end of the `X-Forwarded-For` header, the first value can be attacker-controlled. This could allow IP-based access control mechanisms (such as the `ipRestriction` middleware) to be bypassed. Version 4.12.2 patches the issue.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Vulnerability Type
对数据真实性的验证不充分
Vulnerability Title
Hono 数据伪造问题漏洞
Vulnerability Description
Hono是Hono社区的一个用 TypeScript 编写的 Web 框架。 Hono 4.12.0版本和4.12.1版本存在数据伪造问题漏洞,该漏洞源于在应用程序负载均衡器后使用AWS Lambda适配器时,getConnInfo()函数错误地选择X-Forwarded-For标头的第一个值,由于AWS ALB将真实客户端IP地址附加到X-Forwarded-For标头末尾,第一个值可能受攻击者控制,可能导致基于IP的访问控制机制被绕过。
CVSS Information
N/A
Vulnerability Type
N/A