Dozzle Cross-Site WebSocket Hijacking Vulnerability in WebSocket Upgrader

A Cross-Site WebSocket Hijacking (CSWSH) vulnerability has been identified in Dozzle, a real-time log viewer for Docker containers, in versions prior to 10.5.2. The issue arises because the WebSocket upgrader for the '/exec' and '/attach' endpoints accepts upgrade requests from any origin. This vulnerability is compounded by the JWT cookie being set with 'SameSite: Lax', allowing an attacker to initiate a WebSocket connection to the exec endpoint with the victim's JWT cookie, thereby gaining interactive shell access to containers the victim can access.

Impact

Exploitation of this vulnerability allows an attacker to hijack an authenticated WebSocket connection and gain interactive shell access in Docker containers that the victim has permission to access. This could lead to unauthorized command execution, access to sensitive files and environment variables, and potentially escaping to the Docker host if the Docker socket is mounted with write permissions.

Reproduction

To reproduce this vulnerability, deploy Dozzle with authentication enabled and the '--enable-shell' option. An attacker must host a page on a same-site origin, such as a sibling subdomain or another service on localhost, and then initiate a WebSocket connection to the Dozzle exec endpoint while the victim is authenticated and has an active JWT cookie. The WebSocket upgrade will be accepted, and the attacker will gain shell access in the victim's authorized containers.

Remediation

Users can update to Dozzle version 10.5.2 or later, where this vulnerability has been fixed.