{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/devspace-ui--6.3.20/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["DevSpace UI \u003c= 6.3.20"],"_cs_severities":["high"],"_cs_tags":["websocket","kubernetes","vulnerability"],"_cs_type":"advisory","_cs_vendors":["Loft"],"content_html":"\u003cp\u003eDevSpace, a tool for developing and deploying applications in Kubernetes, contains a vulnerability in its UI server WebSocket implementation. Versions 6.3.20 and earlier do not properly validate the origin of WebSocket connections. This allows a malicious website, visited by a developer running the DevSpace UI, to establish a cross-origin WebSocket connection to \u003ccode\u003ews://127.0.0.1:8090\u003c/code\u003e. Successful exploitation grants the attacker unauthorized access to sensitive functionalities, including real-time pod log streaming, opening interactive shells within running pods, and executing pre-defined pipeline commands. This poses a significant risk to developers using DevSpace as it allows unauthorized access to and control over their Kubernetes deployments. The vulnerability is identified as CVE-2026-42283.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA developer runs the DevSpace UI, typically accessible at \u003ccode\u003ews://127.0.0.1:8090\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe same developer uses a web browser to access the internet.\u003c/li\u003e\n\u003cli\u003eThe developer visits a malicious website that contains JavaScript designed to exploit the DevSpace WebSocket vulnerability.\u003c/li\u003e\n\u003cli\u003eThe malicious website\u0026rsquo;s JavaScript establishes a WebSocket connection to the developer\u0026rsquo;s local DevSpace UI server (\u003ccode\u003ews://127.0.0.1:8090\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eBecause the DevSpace UI server lacks origin validation, it accepts the connection from the malicious website.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the open WebSocket connection to access the \u003ccode\u003e/api/logs\u003c/code\u003e endpoint, streaming real-time pod logs.\u003c/li\u003e\n\u003cli\u003eThe attacker utilizes the connection to execute commands via the \u003ccode\u003e/api/command\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker gains a shell in the pod via the \u003ccode\u003e/api/enter\u003c/code\u003e endpoint, achieving code execution within the container.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to gain unauthorized access to a developer\u0026rsquo;s Kubernetes environment. This could lead to the exfiltration of sensitive information from pod logs, unauthorized execution of commands within pods, and potentially full compromise of the affected Kubernetes deployment. The impact is especially significant for developers working with sensitive data or critical infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade DevSpace to version 6.3.21 or later to patch the vulnerability (CVE-2026-42283).\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit access to the DevSpace UI server to trusted networks only.\u003c/li\u003e\n\u003cli\u003eMonitor network connections for unusual WebSocket connections to port 8090 using the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eEnable web server logging for unexpected requests to \u003ccode\u003e/api/logs\u003c/code\u003e, \u003ccode\u003e/api/enter\u003c/code\u003e, and \u003ccode\u003e/api/command\u003c/code\u003e endpoints originating from localhost, as detected by the provided Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-devspace-websocket-vuln/","summary":"DevSpace's UI server WebSocket accepts connections from any origin, enabling attackers to access pod logs, interactive shells, and execute commands via cross-origin WebSocket connections; versions up to 6.3.20 are affected, patched in 6.3.21.","title":"DevSpace UI Server WebSocket Origin Validation Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-devspace-websocket-vuln/"}],"language":"en","title":"CraftedSignal Threat Feed — DevSpace UI \u003c= 6.3.20","version":"https://jsonfeed.org/version/1.1"}