CVE-2023-26114

Versions of the package code-server before 4.10.1 are vulnerable to Missing Origin Validation in WebSockets handshakes. Exploiting this vulnerability can allow an adversary in specific scenarios to access data from and connect to the code-server instance.

CVSS v3.0 9.3 CRITICAL

9.3^/10

CVSS v3.0 : CRITICAL

Vector :

Exploitability : 2.8 / Impact : 5.8

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/coder/code-server/commit/d477972c68fc8c8e8d610aa7287db87ba90e55c7	Patch
https://github.com/coder/code-server/commit/d477972c68fc8c8e8d610aa7287db87ba90e55c7	Patch
https://github.com/coder/code-server/releases/tag/v4.10.1	Release Notes
https://github.com/coder/code-server/releases/tag/v4.10.1	Release Notes
https://security.snyk.io/vuln/SNYK-JS-CODESERVER-3368148	Patch
https://security.snyk.io/vuln/SNYK-JS-CODESERVER-3368148	Patch

Configurations

Configuration 1 (hide)

cpe:2.3:a:coder:code-server:*:*:*:*:*:*:*:*

History

25 Feb 2025, 20:15

Type	Values Removed	Values Added
References	~~(MISC) https://github.com/coder/code-server/releases/tag/v4.10.1 - Release Notes~~	() https://github.com/coder/code-server/releases/tag/v4.10.1 - Release Notes
References	~~(MISC) https://github.com/coder/code-server/commit/d477972c68fc8c8e8d610aa7287db87ba90e55c7 - Patch~~	() https://github.com/coder/code-server/commit/d477972c68fc8c8e8d610aa7287db87ba90e55c7 - Patch
References	~~(MISC) https://security.snyk.io/vuln/SNYK-JS-CODESERVER-3368148 - Patch~~	() https://security.snyk.io/vuln/SNYK-JS-CODESERVER-3368148 - Patch

Information

Published : 2023-03-23 05:15

Updated : 2025-02-25 20:15

NVD link : CVE-2023-26114

Mitre link : CVE-2023-26114

JSON object : View

Products Affected

coder

code-server

CWE

CWE-346

Origin Validation Error

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://github.com/coder/code-server/commit/d477972c68fc8c8e8d610aa7287db87ba90e55c7", "name": "https://github.com/coder/code-server/commit/d477972c68fc8c8e8d610aa7287db87ba90e55c7", "tags": ["Patch"], "refsource": ""}, {"url": "https://github.com/coder/code-server/commit/d477972c68fc8c8e8d610aa7287db87ba90e55c7", "name": "https://github.com/coder/code-server/commit/d477972c68fc8c8e8d610aa7287db87ba90e55c7", "tags": ["Patch"], "refsource": ""}, {"url": "https://github.com/coder/code-server/releases/tag/v4.10.1", "name": "https://github.com/coder/code-server/releases/tag/v4.10.1", "tags": ["Release Notes"], "refsource": ""}, {"url": "https://github.com/coder/code-server/releases/tag/v4.10.1", "name": "https://github.com/coder/code-server/releases/tag/v4.10.1", "tags": ["Release Notes"], "refsource": ""}, {"url": "https://security.snyk.io/vuln/SNYK-JS-CODESERVER-3368148", "name": "https://security.snyk.io/vuln/SNYK-JS-CODESERVER-3368148", "tags": ["Patch"], "refsource": ""}, {"url": "https://security.snyk.io/vuln/SNYK-JS-CODESERVER-3368148", "name": "https://security.snyk.io/vuln/SNYK-JS-CODESERVER-3368148", "tags": ["Patch"], "refsource": ""}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "Versions of the package code-server before 4.10.1 are vulnerable to Missing Origin Validation in WebSockets handshakes. Exploiting this vulnerability can allow an adversary in specific scenarios to access data from and connect to the code-server instance."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-346"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2023-26114", "ASSIGNER": "report@snyk.io"}}, "impact": {"baseMetricV3": {"cvssV3": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.3, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.8, "exploitabilityScore": 2.8}}, "publishedDate": "2023-03-23T05:15Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:coder:code-server:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "4.10.1"}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2025-02-25T20:15Z"}