Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS03cnE2LTdndjgtYzM3aM0W0w
Missing Authorization with Default Settings in Dashboard UI
Dashboard UI in Hangfire.Core uses authorization filters to protect it from showing sensitive data to unauthorized users. By default when no custom authorization filters specified, LocalRequestsOnlyAuthorizationFilter
filter is being used to allow only local requests and prohibit all the remote requests to provide sensible, protected by default settings.
However due to the recent changes, in version 1.7.25 no authorization filters are used by default, allowing remote requests to succeed.
Impact
Missing authorization when default options are used for the Dashboard UI, e.g. when no custom authorization rules are used as recommended in the Using Dashboard documentation article.
Impacted
If you are using UseHangfireDashboard
method with default DashboardOptions.Authorization
property value, then your installation is impacted:
app.UseHangfireDashboard(); // Impacted
app.UseHangfireDashboard("/hangfire", new DashboardOptions()); // Impacted
Not Impacted
If any other authorization filter is specified in the DashboardOptions.Authorization
property, the you are not impacted:
app.UseHangfireDashboard("/hangfire", new DashboardOptions
{
Authorization = new []{ new SomeAuthorizationFilter(); } // Not impacted
});
Patches
Patch is already available in version 1.7.26 and already available on NuGet.org, please see Hangfire.Core 1.7.26. Default authorization rules now prohibit remote requests by default again by including the LocalRequestsOnlyAuthorizationFilter
filter to the default settings. Please upgrade to the newest version in order to mitigate the issue.
Workarounds
It is possible to fix the issue by using the LocalRequestsOnlyAuthorizationFilter
explicitly when configuring the Dashboard UI. In this case upgrade is not required.
// using Hangfire.Dashboard;
app.UseHangfireDashboard("/hangfire", new DashboardOptions
{
Authorization = new []{ new LocalRequestsOnlyAuthorizationFilter(); }
});
References
Original GitHub Issue: https://github.com/HangfireIO/Hangfire/issues/1958
Permalink: https://github.com/advisories/GHSA-7rq6-7gv8-c37hJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03cnE2LTdndjgtYzM3aM0W0w
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: about 1 year ago
CVSS Score: 8.6
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
Identifiers: GHSA-7rq6-7gv8-c37h, CVE-2021-41238
References:
- https://github.com/HangfireIO/Hangfire/security/advisories/GHSA-7rq6-7gv8-c37h
- https://nvd.nist.gov/vuln/detail/CVE-2021-41238
- https://github.com/HangfireIO/Hangfire/issues/1958
- https://www.nuget.org/packages/Hangfire.Core
- https://github.com/advisories/GHSA-7rq6-7gv8-c37h
Blast Radius: 1.0
Affected Packages
nuget:Hangfire.Core
Dependent packages: 0Dependent repositories: 0
Downloads: 149,877,757 total
Affected Version Ranges: = 1.7.25
Fixed in: 1.7.26
All affected versions: 1.7.25
All unaffected versions: 0.1.0, 0.5.0, 0.5.1, 0.5.2, 0.6.0, 0.6.1, 0.6.2, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.7.4, 0.7.5, 0.8.0, 0.8.1, 0.8.2, 0.8.3, 0.9.0, 0.9.1, 1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.1.1, 1.2.0, 1.2.1, 1.2.2, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.4.6, 1.4.7, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.5.6, 1.5.7, 1.5.8, 1.5.9, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.6.5, 1.6.6, 1.6.7, 1.6.8, 1.6.9, 1.6.10, 1.6.11, 1.6.12, 1.6.13, 1.6.14, 1.6.15, 1.6.16, 1.6.17, 1.6.18, 1.6.19, 1.6.20, 1.6.21, 1.6.22, 1.6.23, 1.6.24, 1.6.25, 1.6.26, 1.6.27, 1.6.28, 1.6.29, 1.6.30, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.7.4, 1.7.5, 1.7.6, 1.7.7, 1.7.8, 1.7.9, 1.7.10, 1.7.11, 1.7.12, 1.7.13, 1.7.14, 1.7.15, 1.7.16, 1.7.17, 1.7.18, 1.7.19, 1.7.20, 1.7.21, 1.7.22, 1.7.23, 1.7.24, 1.7.26, 1.7.27, 1.7.28, 1.7.29, 1.7.30, 1.7.31, 1.7.32, 1.7.33, 1.7.34, 1.7.35, 1.7.36, 1.7.37, 1.8.0, 1.8.1, 1.8.2, 1.8.3, 1.8.4, 1.8.5, 1.8.6, 1.8.7, 1.8.8, 1.8.9, 1.8.10, 1.8.11, 1.8.12