References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

Change History

https://github.com/Cleanuparr/Cleanuparr/security/advisories/GHSA-rwpc-36mg-fpvf

Cleanuparr is a tool for automating the cleanup of unwanted or blocked files in Sonarr, Radarr, and supported download clients like qBittorrent.  Prior to 2.9.10, Cleanuparr's global CORS policy reflects every request Origin and combines it with AllowCredentials(). When DisableAuthForLocalAddresses is enabled, the API also authenticates requests purely by source IP via TrustedNetworkAuthenticationHandler. The combination lets any website that an admin (or any user on a trusted IP) visits read authenticated API responses cross-origin — including the admin's permanent API key. This vulnerability is fixed in 2.9.10.

AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE-346

CWE-942

https://github.com/Cleanuparr/Cleanuparr/security/advisories/GHSA-rwpc-36mg-fpvf