Korewachino

**Name of the Vulnerable Software and Affected Versions** Chisel versions prior to 1.10.0 **Description** The Chisel server does not read the documented `AUTH` environment variable used to set credentials, allowing any unauthenticated user to connect, even if credentials were set. This issue affects anyone running the Chisel server that uses the `AUTH` environment variable to specify credentials to authenticate against. Chisel is often used to provide an entrypoint to a private network, which means services that are gated by Chisel may be affected. Additionally, Chisel is often used for exposing services to the internet. An attacker could perform a man-in-the-middle (MITM) attack by connecting to a Chisel server and requesting to forward traffic from a remote port. **Recommendations** For versions prior to 1.10.0, upgrade to version 1.10.0 to resolve the issue. As a temporary workaround, consider disabling the use of the `AUTH` environment variable until a patch is available. Restrict access to the Chisel server to minimize the risk of exploitation. Avoid using the `AUTH` environment variable in the affected Chisel server until the issue is resolved.