This vulnerability was a potential CSRF attack. When running the Firebase emulator suite, there is an export endpoint that is used normally to export data from running emulators. If a user was running the emulator and navigated to a malicious website with the exploit on a browser that allowed calls to localhost (ie Chrome before v94), the website could exfiltrate emulator data. We recommend upgrading past version 13.6.0 or commit 068a2b08dc308c7ab4b569617f5fc8821237e3a0 https://github.com/firebase/firebase-tools/commit/068a2b08dc308c7ab4b569617f5fc8821237e3a0
CVE-2024-4128 - Low Severity Vulnerability
Vulnerable Library - firebase-tools-6.5.3.tgz
Command-Line Interface for Firebase
Library home page: https://registry.npmjs.org/firebase-tools/-/firebase-tools-6.5.3.tgz
Path to dependency file: /site-landing/package.json
Path to vulnerable library: /node_modules/firebase-tools/package.json
Dependency Hierarchy: - :x: **firebase-tools-6.5.3.tgz** (Vulnerable Library)
Found in HEAD commit: 2bc554ca8247868a43e42fb2b384c86388349b78
Found in base branch: master
Vulnerability Details
This vulnerability was a potential CSRF attack. When running the Firebase emulator suite, there is an export endpoint that is used normally to export data from running emulators. If a user was running the emulator and navigated to a malicious website with the exploit on a browser that allowed calls to localhost (ie Chrome before v94), the website could exfiltrate emulator data. We recommend upgrading past version 13.6.0 or commit 068a2b08dc308c7ab4b569617f5fc8821237e3a0 https://github.com/firebase/firebase-tools/commit/068a2b08dc308c7ab4b569617f5fc8821237e3a0
Publish Date: 2024-05-02
URL: CVE-2024-4128
CVSS 3 Score Details (2.6)
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: Low - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-4128
Release Date: 2024-05-02
Fix Resolution: 13.6.1
Step up your Open Source Security Game with Mend here