CVE-2024-43798: Chisel's AUTH environment variable not respected in server entrypoint
The Chisel server doesn’t ever read the documented AUTH environment variable used to set credentials, which allows any unauthenticated user to connect, even if credentials were set. This advisory is a formalization of a report sent to the maintainer via email.
References
- github.com/advisories/GHSA-38jh-8h67-m7mj
- github.com/jpillora/chisel
- github.com/jpillora/chisel/blob/3de177432cd23db58e57f376b62ad497cc10840f/main.go
- github.com/jpillora/chisel/blob/3de177432cd23db58e57f376b62ad497cc10840f/main.go
- github.com/jpillora/chisel/security/advisories/GHSA-38jh-8h67-m7mj
- nvd.nist.gov/vuln/detail/CVE-2024-43798
Code Behaviors & Features
Detect and mitigate CVE-2024-43798 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →