VDB
CVE-2023-26114
CVE-2023-26114
PUBLISHED
CVSS 8.199999809265137 HIGH
Versions of the package code-server before 4.10.1 are vulnerable to Missing Origin Validation in WebSockets handshakes. Exploiting this vulnerability can allow an adversary in specific scenarios to access data from and connect to the code-server instance.
EPSS 0.18% · 39.0th percentile
Risk Scores
CVSS v3.1
8.199999809265137
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:L/E:P
EPSS Score
0.18%
39.0th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| npm | code-server | 0, 0 |
| coder | code-server | 0, 0 |
| n/a | code-server | 0, 0 |
Timeline
- Mar 23, 2023 CVE Published
- Mar 23, 2023 EPSS Score
- Mar 23, 2023 PoC Published
- Apr 30, 2023 EPSS Score
- Jun 8, 2023 EPSS Score
- Jul 16, 2023 EPSS Score
- Aug 23, 2023 EPSS Score
- Oct 1, 2023 EPSS Score
- Nov 8, 2023 EPSS Score
- Dec 16, 2023 EPSS Score
- Jan 24, 2024 EPSS Score
- Mar 2, 2024 EPSS Score
References
- https://security.snyk.io/vuln/SNYK-JS-CODESERVER-3368148 url
- https://github.com/coder/code-server/commit/d477972c68fc8c8e8d610aa7287db87ba90e55c7 url
- https://github.com/coder/code-server/releases/tag/v4.10.1 url
- https://nvd.nist.gov/vuln/detail/CVE-2023-26114 advisory
- https://github.com/coder/code-server package