Login Sign Up

CVE-2023-37649

7.5 HIGH
Authentication Bypass

📋 TL;DR

This vulnerability allows unauthorized attackers to access sensitive data through incorrect access control in Cockpit CMS's Content component. It affects all users running Cockpit CMS v2.5.2 or earlier versions with the vulnerable component. Attackers can exploit this without authentication to view protected content.

💻 Affected Systems

Products:
  • Cockpit CMS
Versions: v2.5.2 and earlier
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: All installations with the Content component enabled are vulnerable. The vulnerability exists in the default configuration.

📦 What is this software?

Cockpit by Agentejo

View all CVEs affecting Cockpit →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete exposure of all sensitive content managed by Cockpit CMS, including private documents, user data, and confidential information stored in the content management system.

🟠

Likely Case

Unauthorized access to sensitive content and data stored in the CMS, potentially leading to data breaches and privacy violations.

🟢

If Mitigated

Limited or no data exposure if proper network segmentation, authentication layers, or access controls are implemented independently of the vulnerable component.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The vulnerability requires no authentication and has publicly available proof-of-concept details. Exploitation is straightforward.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v2.6.0

Vendor Advisory: https://github.com/Cockpit-HQ/Cockpit/releases/tag/2.6.0

Restart Required: Yes

Instructions:

1. Backup your current Cockpit CMS installation and database. 2. Download Cockpit CMS v2.6.0 from the official GitHub releases. 3. Replace the existing installation files with the new version. 4. Restart your web server to apply the changes.

🔧 Temporary Workarounds

Disable Content Component

all

Temporarily disable the vulnerable /models/Content component if not essential

# Modify Cockpit configuration to disable Content component
# Edit config/config.yaml and remove or comment Content component references

Network Access Restriction

linux

Restrict network access to Cockpit CMS administration interface

# Example iptables rule to restrict access
iptables -A INPUT -p tcp --dport 80 -s trusted_ip_range -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP

🧯 If You Can't Patch

  • Implement web application firewall (WAF) rules to block unauthorized access to /models/Content endpoints
  • Add additional authentication layer in front of Cockpit CMS using reverse proxy with authentication

🔍 How to Verify

Check if Vulnerable:

Check if your Cockpit CMS version is 2.5.2 or earlier by examining the version file or admin interface

Check Version:

grep -r 'version' cockpit/config/version.php || cat cockpit/package.json | grep version

Verify Fix Applied:

Verify installation shows version 2.6.0 or later and test that unauthorized access to /models/Content endpoints is properly blocked

📡 Detection & Monitoring

Log Indicators:

  • Unauthorized access attempts to /models/Content endpoints
  • Multiple failed authentication attempts followed by successful content access

Network Indicators:

  • Unusual traffic patterns to /models/Content from unauthenticated sources
  • Data exfiltration from content endpoints

SIEM Query:

source="web_server_logs" AND (uri="/models/Content" OR uri="/api/models/Content") AND status=200 AND user="-"

📊 Metadata

CVE ID: CVE-2023-37649
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Published: July 20, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON