CVE-2018-6651
Last modified
CVE-2018-6651 is a vulnerability of currently unknown severity. In the uncurl_ws_accept function in uncurl.c in uncurl before 0.07, as used in Parsec before 140-3, insufficient Origin header validation (accepting an arbitrary substring match) for WebSocket API requests allows remote attackers to bypass intended access restrictions. In Parsec, this means full control over the victim's computer.. EPSS estimates a 2.16% chance of exploitation in the next 30 days.
Description
In the uncurl_ws_accept function in uncurl.c in uncurl before 0.07, as used in Parsec before 140-3, insufficient Origin header validation (accepting an arbitrary substring match) for WebSocket API requests allows remote attackers to bypass intended access restrictions. In Parsec, this means full control over the victim's computer.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Uncurl Project | Uncurl | < 0.07 |
| Parsecgaming | Parsec | < 140-3 |
References
- https://github.com/chrisd1100/uncurl/commit/448cd13e7b18c83855d706c564341ddd1e38e769Patch, Third Party Advisory
- https://github.com/chrisd1100/uncurl/releases/tag/0.07Third Party Advisory
- https://github.com/chrisd1100/uncurl/commit/448cd13e7b18c83855d706c564341ddd1e38e769Patch, Third Party Advisory
- https://github.com/chrisd1100/uncurl/releases/tag/0.07Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2018-6651?
How severe is CVE-2018-6651?
How do I fix CVE-2018-6651?
Are you affected by CVE-2018-6651?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST