Noah's Pairwise Manifest
Severity: critical

Authentication Bypass

console-io

Overview

Affected versions of the console-io package do not configure the underlying websocket library to require authentication, resulting in an authentication bypass vulnerability. As console-io allows terminal access on the server via a web page, an authentication bypass is essentially remote code execution.

Remediation

Update to version 2.3.0 or later.

Have content suggestions? Send them to [email protected]

Advisory timeline

  1. published

    Advisory published
    Apr 18th, 2016
  2. reported

    Mar 28th, 2016