PT-2025-4596 · Coolify · Coolify

Angelej

Publicado

2025-01-24

Atualizado

2025-01-31

CVE-2025-22610

CVSS v4.0

7.1

Alta

Vetor

AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Coolify versions prior to 4.0.0-beta.361

Description The issue is related to missing authorization, allowing any authenticated user to access and modify the global Coolify instance OAuth configuration. This exposes sensitive information, including the client id and client secret for every custom OAuth provider.

Recommendations For versions prior to 4.0.0-beta.361, update to version 4.0.0-beta.361 or later to resolve the issue. As a temporary workaround, consider restricting access to the global OAuth configuration to minimize the risk of exploitation.

Exploit

Correção

Missing Authorization

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-862

Identificadores relacionados

CVE-2025-22610

GHSA-496V-9Q38-2X6C

Produtos afetados

Coolify

PT-2025-4596 · Coolify · Coolify

CVE-2025-22610

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 7