Impact Analysis

If you run a Bokeh server version 3.8.1 or below with an allowlist configured, an attacker can exploit this vulnerability to impersonate a trusted origin by registering a similar but malicious domain. This can lead to unauthorized WebSocket connections to your server, allowing the attacker to interact with the server as if they were the victim. The attacker could potentially access sensitive data or modify visualizations, compromising the integrity and confidentiality of your data and visual outputs. [2]

Useful 0 Not Useful 0

Executive Summary

This vulnerability in Bokeh server versions 3.8.1 and below involves improper origin validation in WebSocket connections. When a server is configured with an allowlist of domains, the flawed logic in the origin check allows an attacker to register a domain that starts with an allowed pattern but has additional segments (e.g., dashboard.corp.attacker.com when dashboard.corp is allowed). The attacker can lure a victim to visit this malicious domain, which then initiates a WebSocket connection to the vulnerable Bokeh server. Because the origin validation only compares the initial parts of the hostname, the server mistakenly accepts the connection. This allows the attacker to interact with the Bokeh server on behalf of the victim, potentially accessing sensitive data or modifying visualizations. The issue was fixed in version 3.8.2. [2]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring WebSocket connection attempts to your Bokeh server and inspecting the Origin headers of these requests. Look for connections where the Origin header matches your allowlist patterns but includes additional subdomains or suffixes (e.g., dashboard.corp.attacker.com when dashboard.corp is allowed). You can use network monitoring tools like tcpdump or Wireshark to capture WebSocket handshake requests and filter by Origin headers. For example, using tcpdump: `tcpdump -i <interface> -A -s 0 'tcp port <bokeh_server_port>' | grep Origin` to inspect Origin headers in WebSocket upgrade requests. Additionally, reviewing server logs for unexpected or suspicious Origin headers can help detect exploitation attempts. [2]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade your Bokeh server to version 3.8.2 or later, where the origin validation logic has been fixed. This update corrects the host matching logic to properly validate wildcard hosts and ports, preventing unauthorized WebSocket connections from attacker-controlled domains. Since no workarounds are available, upgrading is the recommended action to prevent exploitation. [2, 1]

Useful 0 Not Useful 0

Compliance Impact

The provided resources do not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0