CVE-2014-125071

lukehutch Gribbit HttpRequestHandler.java messageReceived missing origin validation in websockets

CVSS 5.5 MEDIUMEPSS 0.4%CWE-1385

In short

The Gribbit web framework fails to validate the origin of WebSocket connections, allowing requests from unauthorized websites to communicate with the application. This can enable cross-site attacks where malicious sites trick users into sending data to or receiving data from the vulnerable application.

Technical detail

The messageReceived function in HttpRequestHandler.java does not perform origin validation on incoming WebSocket messages, creating a cross-site WebSocket hijacking (CSWSH) vulnerability. An attacker can craft a malicious webpage that establishes a WebSocket connection to the vulnerable server, potentially bypassing same-origin protections and accessing or manipulating data if the user visits the attacker's site while authenticated.

Summary generated and translated by AI from the official description.

A vulnerability was found in lukehutch Gribbit. It has been classified as problematic. Affected is the function messageReceived of the file src/gribbit/request/HttpRequestHandler.java. The manipulation leads to missing origin validation in websockets. The name of the patch is 620418df247aebda3dd4be1dda10fe229ea505dd. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-217716.

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Affected products

lukehutch · Gribbit

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/lukehutch/gribbit/commit/620418df247aebda3dd4be1dda10fe229ea505dd https://vuldb.com/?ctiid.217716 https://vuldb.com/?id.217716