漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
Suspended Coder users retain access to AI Bridge LLM proxy endpoints
Vulnerability Description
Coder allows organizations to provision remote development environments via Terraform. Starting in version 2.30.0 and prior to versions 2.32.7, 2.33.8, and 2.34.2, AI Bridge proxy endpoints authenticate via `Server.IsAuthorized` in `coderd/aibridgedserver`, which validates key format, expiry, secret and deleted or system users but does not check whether the account is suspended. Because suspension does not revoke existing API keys, a suspended user's unexpired token keeps working. Practical impact is limited to already-issued API keys of suspended users until those keys are deleted. Versions 2.32.7, 2.33.8, and 2.34.2 patch the issue. As a workaround, on suspension, delete the user's API keys via `DELETE /api/v2/users/{user}/keys`.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Vulnerability Type
授权机制不正确
Vulnerability Title
Coder 授权问题漏洞
Vulnerability Description
Coder是Coder组织开源的一个可以在公共或私有云基础设施中设置开发环境的应用程序。 Coder存在授权问题漏洞,该漏洞源于AI Bridge代理端点通过Server.IsAuthorized进行身份验证时,未检查账户是否被暂停,导致已暂停用户的未过期API密钥仍可继续使用,可能导致信息泄露和非法修改。
CVSS Information
N/A
Vulnerability Type
N/A