Description
CometD is a scalable comet implementation for web messaging. In any version prior to 5.0.11, 6.0.6, and 7.0.6, internal usage of Oort and Seti channels is improperly authorized, so any remote user could subscribe and publish to those channels. By subscribing to those channels, a remote user may be able to watch cluster-internal traffic that contains other users' (possibly sensitive) data. By publishing to those channels, a remote user may be able to create/modify/delete other user's data and modify the cluster structure. A fix is available in versions 5.0.11, 6.0.6, and 7.0.6. As a workaround, install a custom `SecurityPolicy` that forbids subscription and publishing to remote, non-Oort, sessions on Oort and Seti channels.
References (2)
Core 2
Core References
Third Party Advisory x_refsource_confirm
https://github.com/cometd/cometd/security/advisories/GHSA-rjmq-6v55-4rjv
Issue Tracking, Third Party Advisory x_refsource_misc
https://github.com/cometd/cometd/issues/1146
Scores
CVSS v3
8.1
EPSS
0.0110
EPSS Percentile
61.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-863
Status
published
Products (2)
cometd/cometd
< 5.0.11
org.cometd.java/cometd-java-oort
0 - 5.0.11Maven
Published
Mar 15, 2022
Tracked Since
Feb 18, 2026