CVE-2021-41238

Name of the Vulnerable Software and Affected Versions Hangfire versions 1.7.25

Description Hangfire is an open source system to perform background job processing in .NET or .NET Core applications. The Dashboard UI in Hangfire.Core uses authorization filters to protect it from showing sensitive data to unauthorized users. However, due to recent changes, in version 1.7.25, no authorization filters are used by default, allowing remote requests to succeed. If the UseHangfireDashboard method is used with the default DashboardOptions.Authorization property value, the installation is impacted. The issue can be mitigated by upgrading to the newest version or by using the LocalRequestsOnlyAuthorizationFilter explicitly when configuring the Dashboard UI.

Recommendations For Hangfire version 1.7.25, upgrade to version 1.7.26 to mitigate the issue. As a temporary workaround for version 1.7.25, consider using the LocalRequestsOnlyAuthorizationFilter explicitly when configuring the Dashboard UI, for example:

app.UseHangfireDashboard("/hangfire", new DashboardOptions
{
  Authorization = new []{ new LocalRequestsOnlyAuthorizationFilter(); }
});