Authentication Bypass

Module: console-io

Published: April 18th, 2016

Reported by: Craig Arendt

CVE-NONE

CWE-287

Vulnerable: <=2.2.13
Patched: >=2.3.0

Overview

Affected versions of the console-io package do not configure the underlying websocket library to require authentication, resulting in an authentication bypass vulnerability. As console-io allows terminal access on the server via a web page, an authentication bypass is essentially remote code execution.

Remediation

Update to version 2.3.0 or later.