Beware! Cosmos Home Server Users – Critical Remote Code Execution Vulnerability Patched

CVECVE-2023-49091
CVSScvssV3_1: 8.8
SourceCVE-2023-49091

Cosmos is a popular open source tool that allows users to self-host applications from home. Unfortunately, a critical vulnerability was discovered in an earlier version of Cosmos that could allow remote attackers to take control of users’ home servers.

The issue lies in how Cosmos handles user authentication tokens. After a user logs out of their Cosmos server, the authentication token used to log in was not being invalidated. An attacker could steal this token and use it to log back in and gain full access to the user’s server, even though the user was no longer logged in.

This means that an attacker on the same network or who was able to intercept traffic could steal user tokens and take control of Cosmos servers without the owner’s knowledge. They would be able to view files, install malware, change settings, and more.

Luckily, the Cosmos developers have addressed this issue and released version 0.13.0 which properly invalidates tokens on logout. All Cosmos users are highly recommended to update immediately to protect themselves from this authentication bypass vulnerability. Users should also consider changing their passwords as a precaution.

While self-hosting can provide benefits over cloud services, it’s important to always keep software up-to-date to prevent remote hackers from gaining access. Be vigilant about applying patches and stay safe online!

References