GSA_kwCzR0hTQS1yNWhtLW1wM2otMjg1Z84AA2C4

Critical EPSS: 0.00174% (0.39409 Percentile) EPSS:

Permalink JSON

sing-box vulnerable to improper authentication in the SOCKS inbound

Affected Packages	Affected Versions	Fixed Versions
go:github.com/sagernet/sing PURL: `pkg:go/github.com%2Fsagernet%2Fsing`	< 0.2.12-0.20230925092853-5b05b5c147d9	0.2.12-0.20230925092853-5b05b5c147d9
165 Dependent packages 407 Dependent repositories Affected Version Ranges All affected versions 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.1.7, 0.1.8, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.2.6, 0.2.7, 0.2.8, 0.2.9, 0.2.11 All unaffected versions 0.2.12, 0.2.13, 0.2.14, 0.2.15, 0.2.16, 0.2.17, 0.2.18, 0.2.19, 0.2.20, 0.2.21, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.3.5, 0.3.6, 0.3.7, 0.3.8, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.5.0, 0.5.1, 0.5.2, 0.6.0, 0.6.1, 0.6.2, 0.6.3, 0.6.4, 0.6.5, 0.6.6, 0.6.7, 0.6.8, 0.6.9, 0.6.10, 0.6.11, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.7.4, 0.7.5
go:github.com/sagernet/sing-box PURL: `pkg:go/github.com%2Fsagernet%2Fsing-box`	>= 1.5.0-beta.1, < 1.5.0-rc.5, < 1.4.5	1.5.0-rc.5, 1.4.5
23 Dependent packages 30 Dependent repositories Affected Version Ranges All affected versions 0.1.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6, 1.1.7, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.6, 1.2.7, 1.3.0, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.5.0-beta.1, 1.5.0-beta.2, 1.5.0-beta.3, 1.5.0-beta.4, 1.5.0-beta.5, 1.5.0-beta.6, 1.5.0-beta.7, 1.5.0-beta.8, 1.5.0-beta.9, 1.5.0-beta.10, 1.5.0-beta.11, 1.5.0-beta.12, 1.5.0-rc.1, 1.5.0-rc.2, 1.5.0-rc.3, 1.5.0-rc.4 All unaffected versions 1.4.5, 1.4.6, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.6.5, 1.6.6, 1.6.7, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.7.4, 1.7.5, 1.7.6, 1.7.7, 1.7.8, 1.8.0, 1.8.1, 1.8.2, 1.8.4, 1.8.5, 1.8.6, 1.8.7, 1.8.8, 1.8.9, 1.8.10, 1.8.11, 1.8.12, 1.8.13, 1.8.14, 1.9.0, 1.9.1, 1.9.2, 1.9.3, 1.9.4, 1.9.5, 1.9.6, 1.9.7, 1.10.0, 1.10.1, 1.10.2, 1.10.3, 1.10.4, 1.10.5, 1.10.6, 1.10.7, 1.11.0, 1.11.1, 1.11.2, 1.11.3, 1.11.4, 1.11.5, 1.11.6, 1.11.7, 1.11.8, 1.11.9, 1.11.10, 1.11.11, 1.11.12, 1.11.13, 1.11.14, 1.11.15, 1.12.0, 1.12.1, 1.12.2, 1.12.3, 1.12.4

Impact

This vulnerability allows specially crafted requests to bypass authentication, affecting all SOCKS inbounds with user authentication.

Patches

Update to sing-box 1.4.5 or 1.5.0-rc.5 and later versions.

Workarounds

Don't expose the SOCKS5 inbound to insecure environments.

References:

Identifiers

GHSA-r5hm-mp3j-285g

CVE-2023-43644

Risk

Severity

Critical

EPSS

EPSS Percentage: 0.00174

EPSS Percentile: 0.39409

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/SagerNet/sing-box

Date and time

Published

almost 2 years ago

Updated

almost 2 years ago

API

JSON

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Advisories