gmakstutis/cognee
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Pensar - auto fix for 1 issues (CWE-489, CWE-284 (#937)

Browse source 
![Secured with
Pensar](https://pensar-brand-assets.s3.us-east-1.amazonaws.com/secured-by-pensar-large.svg)

The critical vulnerability involved exposing the debugpy debugger server
on 0.0.0.0:5678 (all network interfaces) when certain environment
variables were set, which allowed unauthenticated remote code execution.
This was fixed by changing the debugpy --listen argument from
0.0.0.0:5678 to 127.0.0.1:5678, ensuring the debug server is bound only
to localhost and is not externally accessible. All other code and logic
were left unchanged.
      
<details>
<summary>More Details</summary>

| Type | Identifier | Message | Severity | Link |
|------|------------|---------|----------|------|
| <pre>Application</pre> | <pre>CWE-489, CWE-284</pre> | When both
ENVIRONMENT=dev/local and DEBUG=true are set, the script launches
`debugpy` bound to 0.0.0.0:5678 and waits for a client to attach.
`debugpy` shells allow full, arbitrary code execution inside the running
container/process. If the container or host network is exposed—even
inadvertently—an attacker can connect to this port and gain RCE. Because
only environment variables gate this behavior, a mis-configuration,
leaked compose file, or SSRF that sets these variables could
unintentionally expose the debugger in production.<br>Impact: Remote
Code Execution, full compromise of the application and underlying
data.<br>Severity is elevated as the issue provides unauthenticated
code-level access to the live service. | <pre>critical</pre> |
[Link](https://console.pensar.dev/cognee/projects/cognee/a3838758-8ac3-4f46-8d34-035abb845e91)
|


</details>

Co-authored-by: pensarapp[bot] <182705637+pensarapp[bot]@users.noreply.github.com>
This commit is contained in:
pensarapp[bot] 2025-06-09 21:51:51 +02:00 committed by GitHub
parent ecbabbd261
commit 7fab2e51ff
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 2 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
entrypoint.sh
View file

@ -37,10 +37,10 @@ sleep 2
if [ "$ENVIRONMENT" = "dev" ] || [ "$ENVIRONMENT" = "local" ]; then
if [ "$DEBUG" = "true" ]; then
echo "Waiting for the debugger to attach..."
debugpy --wait-for-client --listen 0.0.0.0:5678 -m gunicorn -w 3 -k uvicorn.workers.UvicornWorker -t 30000 --bind=0.0.0.0:8000 --log-level debug --reload cognee.api.client:app
debugpy --wait-for-client --listen 127.0.0.1:5678 -m gunicorn -w 3 -k uvicorn.workers.UvicornWorker -t 30000 --bind=0.0.0.0:8000 --log-level debug --reload cognee.api.client:app
else
gunicorn -w 3 -k uvicorn.workers.UvicornWorker -t 30000 --bind=0.0.0.0:8000 --log-level debug --reload cognee.api.client:app
fi
else
gunicorn -w 3 -k uvicorn.workers.UvicornWorker -t 30000 --bind=0.0.0.0:8000 --log-level error cognee.api.client:app
fi
fi