PT-2022-20564 · Unknown · Activitywatch

Zozs

Published

2022-09-07

Updated

2022-09-13

CVE-2022-31149

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions ActivityWatch versions prior to 0.12.0b2

Description The issue allows attackers to perform DNS rebinding attacks, giving them full access to the ActivityWatch REST API. This impacts all users running the affected versions of ActivityWatch.

Recommendations For versions prior to 0.12.0b2, upgrade to v0.12.0b2 or later to receive a patch. As a temporary workaround, consider blocking DNS lookups that resolve to 127.0.0.1.

Exploit

Fix

Authentication Bypass by Spoofing

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-290

Related Identifiers

CVE-2022-31149

GHSA-V9FG-6G9J-H4X4

Affected Products

Activitywatch

PT-2022-20564 · Unknown · Activitywatch

CVE-2022-31149

Weakness Enumeration

Related Identifiers

Affected Products

References · 6