CVE-2023-7080 — Improper Privilege Management in Wrangler

CWE-269 — Improper Privilege Management3 documents3 sources

Severity

8.0HIGHNVD

EPSS

0.0%

top 87.22%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cloudflare Wrangler

Timeline

PublishedDec 29

Latest updateJan 3

Description

The V8 inspector intentionally allows arbitrary code execution within the Workers sandbox for debugging. wrangler dev would previously start an inspector server listening on all network interfaces. This would allow an attacker on the local network to connect to the inspector and run arbitrary code. Additionally, the inspector server did not validate Origin/Host headers, granting an attacker that can trick any user on the local network into opening a malicious website the ability to run code. If …

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.1 | Impact: 5.9

Affected Packages2 packages

▶NVDcloudflare/wrangler2.0.0 — 2.20.2+1

▶npmcloudflare/wrangler3.0.0 — 3.19.0+1

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Arbitrary remote code execution within `wrangler dev` Workers sandbox↗2024-01-03

▶

GHSA

Arbitrary remote code execution within `wrangler dev` Workers sandbox↗2024-01-03

▶