Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsLearn about Missing Authentication for Critical Function vulnerabilities in an interactive lesson.
Start learningUpgrade @mockoon/commons-server to version 9.7.0 or higher.
@mockoon/commons-server is a Mockoon's commons server library. Used in Mockoon desktop application and CLI.
Affected versions of this package are vulnerable to Missing Authentication for Critical Function in admin-api.ts, which mounts the admin API on the same listener as user-defined mock routes (enabled by default via packages/cli/src/commands/start.ts and packages/serverless/src/libs/serverless.ts) and serves every endpoint with Access-Control-Allow-Origin: *, all HTTP methods, and no authentication. An attacker can read MOCKOON_* secrets, overwrite arbitrary process.env variables, rewrite mock route responses at runtime, and harvest consumer request bodies and authentication headers from the logs by sending unauthenticated requests to the /mockoon-admin endpoints, and the wildcard CORS lets these requests land cross-origin from a browser when a developer visits a malicious site while the server runs. Exploitation requires network reach to the mock server port, which by default binds to all interfaces at 0.0.0.0:3000 with the admin API enabled, while the cross-origin path additionally requires the developer to visit a malicious site during a local run.
This vulnerability can be avoided by starting the CLI with the --disable-admin-api flag, which turns off the admin API that is otherwise enabled by default while leaving the mock server functional.