How the flaw works
Marimo’s server features a built-in terminal characteristic that lets customers run instructions immediately from the browser. That terminal was accessible over the community with none authentication examine, whereas different components of the identical server accurately required customers to log in earlier than connecting, the put up mentioned.
“The terminal endpoint skips this examine fully, accepting connections from any unauthenticated consumer and granting a full interactive shell operating with the privileges of the Marimo course of,” the put up added.
In sensible phrases, anybody who may attain the server over the web may stroll straight right into a reside command shell, usually with administrator-level entry, with out ever coming into a password, the crew at Sysdig mentioned.
