CVE-2024-23823: vantage6's CORS settings overly permissive

March 15, 2024

Impact

The vantage6 server has no restrictions on CORS settings. It should be possible for people to set the allowed origins of the server.

The impact is limited because v6 does not use session cookies

Patches

Workarounds

References

github.com/advisories/GHSA-4946-85pr-fvxh
github.com/vantage6/vantage6
github.com/vantage6/vantage6/commit/70bb4e1d889230a841eb364d6c03accd7dd01a41
github.com/vantage6/vantage6/security/advisories/GHSA-4946-85pr-fvxh
nvd.nist.gov/vuln/detail/CVE-2024-23823

Detect and mitigate CVE-2024-23823 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →