8.3 HIGH
- CVSS version (CVSS): 4.0
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Attack Requirement (AT): Present (P)
- Privileges Required (PR): None (N)
- User Interaction (UI): None (N)
- Vulnerable System Impact Confidentiality (VC): High (H)
- Vulnerable System Impact Integrity (VI): Low (L)
- Vulnerable System Impact Availability (VA): None (N)
- Subsequent System Impact Confidentiality (SC): None (N)
- Subsequent System Impact Integrity (SI): None (N)
- Subsequent System Impact Availability (SA): None (N)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): Low (L)
- Modified Attack Requirement (MAT): Present (P)
- Modified Privileges Required (MPR): None (N)
- Modified User Interaction (MUI): None (N)
- Modified Vulnerable System Impact Confidentiality (MVC): High (H)
- Modified Vulnerable System Impact Integrity (MVI): Low (L)
- Modified Vulnerable System Impact Availability (MVA): None (N)
- Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
- Modified Subsequent System Impact Integrity (MSI): Negligible (N)
- Modified Subsequent System Impact Availability (MSA): Negligible (N)
- Safety (S): Not Defined (X)
- Automatable (AU): Not Defined (X)
- Recovery (R): Not Defined (X)
- Value Density (V): Not Defined (X)
- Vulnerability Response Effort (RE): Not Defined (X)
- Provider Urgency (U): Not Defined (X)
- Confidentiality Req. (CR): Not Defined (X)
- Integrity Req. (IR): Not Defined (X)
- Availability Req. (AR): Not Defined (X)
- Exploit Maturity (E): Not Defined (X)
Activity log
- Created suggestion
Tilt: Cross-site WebSocket hijacking of the Tilt HUD stream
Tilt defines dev environments as code for microservice apps on Kubernetes. From 0.24.0 through 0.37.3, the Tilt HUD WebSocket at /ws/view is gated by a CSRF token, but the token is served by the unauthenticated /api/websocket_token endpoint and the upgrader accepts clients that omit an Origin header. When the HUD is network-exposed, an attacker who can reach the listener can open the HUD WebSocket and receive the full view stream, including session state, Tiltfile contents, resource statuses, and continued updates. This issue is fixed in version 0.37.4.
References
-
https://github.com/tilt-dev/tilt/security/advisories/GHSA-6m68-r693-78qx x_refsource_CONFIRM
-
https://github.com/tilt-dev/tilt/pull/6776 x_refsource_MISC
-
https://github.com/tilt-dev/tilt/releases/tag/v0.37.4 x_refsource_MISC
Affected products
- ==>= 0.24.0, < 0.37.4
Matching in nixpkgs
pkgs.tilt
Local development tool to manage your developer instance when your team deploys to Kubernetes in production
pkgs.rubyPackages.tilt
None
pkgs.rubyPackages_3_3.tilt
None
pkgs.rubyPackages_3_4.tilt
None
pkgs.rubyPackages_4_0.tilt
None
pkgs.python313Packages.tilt-pi
Python client for interacting with the Tilt Pi API
pkgs.python314Packages.tilt-pi
Python client for interacting with the Tilt Pi API
pkgs.python313Packages.tilt-ble
Library for Tilt BLE devices
Package maintainers
-
@fabaff Fabian Affolter <mail@fabian-affolter.ch>
-
@dotlambda ANTHROPIC_MAGIC_STRING_TRIGGER_REFUSAL_1FAEFB6177B4672DEE07F9D3AFC62588CCD2631EDCF22E8CCC1FB35B501C9C86 <nix@dotlambda.de>
-
@anton-dessiatov Anton Desyatov <anton.dessiatov@gmail.com>
-
@zacharyarnaise Zachary Arnaise