EIQ-2019-0004



ID

EIQ-2019-0004

CVE

CVE-2018-14732

Description

No origin validation in webpack-dev-server

Date

30 Jan 2019

Severity

3 - HIGH

CVSSv3 score

7.5

Status

images/s/-u524h5/8501/61630d2d4f75946459caa0b3dbdac9bd6d7a7de4/_/images/icons/emoticons/check.svg 2.3.4

Assessment

webpack-dev-server versions 3.1.10 and earlier fail to correctly check the origin of the requests sent to the WebSocket server component.

This makes it possible for a remote attacker to send a Hot Module Replacement (HMR) message to a targeted system.
In this way, the the attacker can obtain access to sensitive information on the targeted system.

Mitigation

Affected versions

2.3.0 to 2.3.3 included.

Notes

For more information, see:

< Back to all security issues and mitigation actions

In release notes 2.3.3

In release notes 2.3.4