This repository has been archived on 2024-09-12. You can view files and clone it, but cannot push or open issues or pull requests.
svrjs-blog/source/_posts/Attention-Upgrade-RedBrick-OrangeCircle-YellowSquare-and-reverse-proxy-mod.md
2024-03-15 23:24:27 +01:00

1.6 KiB

title date tags categories
Attention! Upgrade RedBrick, OrangeCircle, YellowSquare and reverse-proxy-mod! 2023-08-15 14:41:13
cybersecurity
Notices

We have discovered security vulnerabilites in those SVR.JS mods. Fortunately we have patched those mods. But it's recommended to upgrade these mods immediately.

Patched versions:

  • RedBrick 2.3.3 and newer
  • reverse-proxy-mod 1.0.4 and newer
  • OrangeCircle 1.0.2 and newer
  • YellowSquare 1.0.1 and newer

Unpatched versions have various configuration file and source code leakage vulnerabilities. You can view our security advisory.

UPDATE: We discovered this vulnerability: "An attacker could hack the upstream server, replace the web server or application with one that sends an invalid HTTP response code, and make a request to the hacked server through the reverse proxy to crash the reverse proxy server". The vulnerability is patched in reverse-proxy-mod 1.1.2 and newer.

UPDATE 2: We have discovered and mitigated even more security vulnerabilites in RedBrick, OrangeCircle and YellowSquare. We recommend to upgrade your SVR.JS mods to patched versions immediately.

Patched versions:

  • RedBrick 2.5.4 and newer
  • OrangeCircle 1.0.4 and newer
  • YellowSquare 1.0.4 and newer

With unpatched versions, an attacker could add HTTP authentication header to the HTTP request when not required to enable web application functionality normally disabled on unauthenticated requests. You can view our security advisory.