python-engineio Origin Header Cross-Site WebSocket Hijacking Vulnerability [CVE-2019-13611]

CVE number – CVE-2019-13611

A vulnerability in python-engineio could allow an unauthenticated, remote attacker to conduct a cross-site websocket hijacking (CSWSH) attack on a targeted system.

The vulnerability exists because the affected software does not restrict the Origin header. An attacker could exploit this vulnerability by persuading a user to access a link that submits malicious input to the targeted system. A successful exploit could allow the attacker to initiate a websocket connection to the system by using the targeted user’s credentials.The vendor has confirmed the vulnerability; however, software updates are not available.

Analysis

  • To exploit this vulnerability, the attacker may use misleading language or instructions to persuade a user to access a link that submits malicious input to the targeted system.

Vendor Announcements

  • The vendor has released an issue report at the following link: Issue #128

Fixed Software

  • At the time this alert was first published, the vendor had not released software updates.

Jason Davies

UK based technology professional, with an interest in computer security and telecoms.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: