漏洞标题
提供的 docker-compose 文件中 umatiGateway 的 UI 公开可访问
漏洞描述信息
umatiGateway 是一款用于连接 OPC 统一架构服务器与 MQTT 代理的软件,该软件使用 JSON 消息进行通信。使用 umatiGateway 提供的 docker-compose 文件,其用户界面可能对公众开放。通过此访问,用户可以查看和修改配置。Commit 5d81a3412bc0051754a3095d89a06d6d743f2b16 使用 `127.0.0.1:8080:8080` 以限制仅本地网络的访问。对于无法使用此补丁的用户,可以在 8080 端口上设置防火墙以阻止远程访问,但这种方法可能不完全有效,因为 Docker 可能会通过其基于 iptables 的端口转发规则绕过防火墙。
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
漏洞类别
将资源暴露给错误范围
漏洞标题
umatiGateway's UI publicly accessible in provided docker-compose file
漏洞描述信息
umatiGateway is software for connecting OPC Unified Architecture servers with an MQTT broker utilizing JSON messages. The user interface may possibly be publicly accessible with umatiGateway's provided docker-compose file. With this access, the configuration can be viewed and altered. Commit 5d81a3412bc0051754a3095d89a06d6d743f2b16 uses `127.0.0.1:8080:8080` to limit access to the local network. For those who are unable to use this proposed patch, a firewall on Port 8080 may block remote access, but the workaround may not be perfect because Docker may also bypass a firewall by its iptable based rules for port forwarding.
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
漏洞类别
信息暴露