github shellhub-io/shellhub v0.21.7
on GitHub

5 hours ago

Security

Fixes four cross-tenant and input-validation advisories:

  • GHSA-vwx9-7qcf-gg7f — cross-tenant IDOR on namespace endpoints reachable via API Key and JWT callers, allowing a caller to read, edit, delete or toggle session recording of a namespace they are not scoped to, and to enumerate namespaces across tenants on the list endpoint. (initially fixed in v0.21.6)
  • GHSA-j72x-xfwg-783fGET /api/devices/:uid returned the full device object for any authenticated caller, allowing cross-tenant disclosure of device metadata (hostname, MAC, OS, public key, remote address, last-seen).
  • GHSA-9w9c-9w8m-w89qGET /api/sessions/:uid returned the full session object for any authenticated caller, allowing cross-tenant disclosure of SSH session data (username, device UID, remote IP, authentication state, timestamps).
  • GHSA-47r2-v3x6-wff9 — filter and sort query parameters on the device list accepted attacker-controlled identifiers as BSON keys, enabling HTTP 500 crash-DoS and blind regex extraction via $regex values.

Full Changelog: v0.21.6...v0.21.7

Check out latest releases or
releases around shellhub-io/shellhub v0.21.7

Don't miss a new shellhub release

NewReleases is sending notifications on new releases.

Get notifications