Skip to main content

Missing Authentication for Critical Function

CVE-2023-43644

Severity High
Score 9.8/10

Summary

Sing-box is an open source proxy system. Versions prior to 1.4.5 and 1.5.x prior to 1.5.0-rc.5 are subject to an authentication bypass when specially crafted requests are sent to sing-box. This affects all SOCKS5 inbounds with user authentication and an attacker may be able to bypass authentication. Users unable to update should not expose the SOCKS5 inbound to insecure environments. NOTE: The vulnerability originally affects the module "github.com/sagernet/sing" versions prior to 0.2.12.

  • LOW
  • NETWORK
  • HIGH
  • UNCHANGED
  • NONE
  • NONE
  • HIGH
  • HIGH

CWE-306 - Missing Authentication for Critical Function

The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Advisory Timeline

  • Published