CVE-2023-39966 (GCVE-0-2023-39966)
Vulnerability from cvelistv5 – Published: 2023-08-10 17:46 – Updated: 2024-10-04 18:56
VLAI?
Summary
1Panel is an open source Linux server operation and maintenance management panel. In version 1.4.3, an arbitrary file write vulnerability could lead to direct control of the server. In the `api/v1/file.go` file, there is a function called `SaveContentthat,It `recieves JSON data sent by users in the form of a POST request. And the lack of parameter filtering allows for arbitrary file write operations. Version 1.5.0 contains a patch for this issue.
Severity ?
7.5 (High)
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| 1Panel-dev | 1Panel |
Affected:
= 1.4.3
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:18:10.194Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-hf7j-xj3w-87g4",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-hf7j-xj3w-87g4"
},
{
"name": "https://github.com/1Panel-dev/1Panel/releases/tag/v1.5.0",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/1Panel-dev/1Panel/releases/tag/v1.5.0"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:fit2cloud:1panel:1.4.3:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "1panel",
"vendor": "fit2cloud",
"versions": [
{
"status": "affected",
"version": "1.4.3"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-39966",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-04T18:15:22.442783Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-04T18:56:18.054Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "1Panel",
"vendor": "1Panel-dev",
"versions": [
{
"status": "affected",
"version": "= 1.4.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "1Panel is an open source Linux server operation and maintenance management panel. In version 1.4.3, an arbitrary file write vulnerability could lead to direct control of the server. In the `api/v1/file.go` file, there is a function called `SaveContentthat,It `recieves JSON data sent by users in the form of a POST request. And the lack of parameter filtering allows for arbitrary file write operations. Version 1.5.0 contains a patch for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-10T17:46:21.104Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-hf7j-xj3w-87g4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-hf7j-xj3w-87g4"
},
{
"name": "https://github.com/1Panel-dev/1Panel/releases/tag/v1.5.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/1Panel-dev/1Panel/releases/tag/v1.5.0"
}
],
"source": {
"advisory": "GHSA-hf7j-xj3w-87g4",
"discovery": "UNKNOWN"
},
"title": "1Panel arbitrary file write vulnerability exists in the background"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-39966",
"datePublished": "2023-08-10T17:46:21.104Z",
"dateReserved": "2023-08-07T16:27:27.077Z",
"dateUpdated": "2024-10-04T18:56:18.054Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:fit2cloud:1panel:1.4.3:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"9FB1DBC8-57BC-4F73-AB3E-E87FABCFDBCF\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"1Panel is an open source Linux server operation and maintenance management panel. In version 1.4.3, an arbitrary file write vulnerability could lead to direct control of the server. In the `api/v1/file.go` file, there is a function called `SaveContentthat,It `recieves JSON data sent by users in the form of a POST request. And the lack of parameter filtering allows for arbitrary file write operations. Version 1.5.0 contains a patch for this issue.\"}, {\"lang\": \"es\", \"value\": \"1Panel es un panel de gesti\\u00f3n de operaci\\u00f3n y mantenimiento de servidores Linux de c\\u00f3digo abierto. En la versi\\u00f3n 1.4.3, una vulnerabilidad de escritura de archivos arbitraria podr\\u00eda llevar al control directo del servidor. En el archivo `api/v1/file.go`, hay una funci\\u00f3n llamada `SaveContent que `recibe datos JSON enviados por los usuarios en forma de solicitud POST. Y la falta de filtrado de par\\u00e1metros permite operaciones de escritura de archivos arbitrarias. La versi\\u00f3n 1.5.0 contiene un parche para este problema.\"}]",
"id": "CVE-2023-39966",
"lastModified": "2024-11-21T08:16:08.343",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}]}",
"published": "2023-08-10T18:15:11.550",
"references": "[{\"url\": \"https://github.com/1Panel-dev/1Panel/releases/tag/v1.5.0\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Product\", \"Release Notes\"]}, {\"url\": \"https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-hf7j-xj3w-87g4\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Exploit\", \"Vendor Advisory\"]}, {\"url\": \"https://github.com/1Panel-dev/1Panel/releases/tag/v1.5.0\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Product\", \"Release Notes\"]}, {\"url\": \"https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-hf7j-xj3w-87g4\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Vendor Advisory\"]}]",
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-862\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2023-39966\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2023-08-10T18:15:11.550\",\"lastModified\":\"2024-11-21T08:16:08.343\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"1Panel is an open source Linux server operation and maintenance management panel. In version 1.4.3, an arbitrary file write vulnerability could lead to direct control of the server. In the `api/v1/file.go` file, there is a function called `SaveContentthat,It `recieves JSON data sent by users in the form of a POST request. And the lack of parameter filtering allows for arbitrary file write operations. Version 1.5.0 contains a patch for this issue.\"},{\"lang\":\"es\",\"value\":\"1Panel es un panel de gesti\u00f3n de operaci\u00f3n y mantenimiento de servidores Linux de c\u00f3digo abierto. En la versi\u00f3n 1.4.3, una vulnerabilidad de escritura de archivos arbitraria podr\u00eda llevar al control directo del servidor. En el archivo `api/v1/file.go`, hay una funci\u00f3n llamada `SaveContent que `recibe datos JSON enviados por los usuarios en forma de solicitud POST. Y la falta de filtrado de par\u00e1metros permite operaciones de escritura de archivos arbitrarias. La versi\u00f3n 1.5.0 contiene un parche para este problema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-862\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:fit2cloud:1panel:1.4.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9FB1DBC8-57BC-4F73-AB3E-E87FABCFDBCF\"}]}]}],\"references\":[{\"url\":\"https://github.com/1Panel-dev/1Panel/releases/tag/v1.5.0\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\",\"Release Notes\"]},{\"url\":\"https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-hf7j-xj3w-87g4\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/1Panel-dev/1Panel/releases/tag/v1.5.0\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Product\",\"Release Notes\"]},{\"url\":\"https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-hf7j-xj3w-87g4\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-hf7j-xj3w-87g4\", \"name\": \"https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-hf7j-xj3w-87g4\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/1Panel-dev/1Panel/releases/tag/v1.5.0\", \"name\": \"https://github.com/1Panel-dev/1Panel/releases/tag/v1.5.0\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T18:18:10.194Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-39966\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-10-04T18:15:22.442783Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:fit2cloud:1panel:1.4.3:*:*:*:*:*:*:*\"], \"vendor\": \"fit2cloud\", \"product\": \"1panel\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.4.3\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-10-04T18:56:11.801Z\"}}], \"cna\": {\"title\": \"1Panel arbitrary file write vulnerability exists in the background\", \"source\": {\"advisory\": \"GHSA-hf7j-xj3w-87g4\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"1Panel-dev\", \"product\": \"1Panel\", \"versions\": [{\"status\": \"affected\", \"version\": \"= 1.4.3\"}]}], \"references\": [{\"url\": \"https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-hf7j-xj3w-87g4\", \"name\": \"https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-hf7j-xj3w-87g4\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/1Panel-dev/1Panel/releases/tag/v1.5.0\", \"name\": \"https://github.com/1Panel-dev/1Panel/releases/tag/v1.5.0\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"1Panel is an open source Linux server operation and maintenance management panel. In version 1.4.3, an arbitrary file write vulnerability could lead to direct control of the server. In the `api/v1/file.go` file, there is a function called `SaveContentthat,It `recieves JSON data sent by users in the form of a POST request. And the lack of parameter filtering allows for arbitrary file write operations. Version 1.5.0 contains a patch for this issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-862\", \"description\": \"CWE-862: Missing Authorization\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2023-08-10T17:46:21.104Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2023-39966\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-10-04T18:56:18.054Z\", \"dateReserved\": \"2023-08-07T16:27:27.077Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2023-08-10T17:46:21.104Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
FKIE_CVE-2023-39966
Vulnerability from fkie_nvd - Published: 2023-08-10 18:15 - Updated: 2024-11-21 08:16
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
1Panel is an open source Linux server operation and maintenance management panel. In version 1.4.3, an arbitrary file write vulnerability could lead to direct control of the server. In the `api/v1/file.go` file, there is a function called `SaveContentthat,It `recieves JSON data sent by users in the form of a POST request. And the lack of parameter filtering allows for arbitrary file write operations. Version 1.5.0 contains a patch for this issue.
References
| URL | Tags | ||
|---|---|---|---|
| security-advisories@github.com | https://github.com/1Panel-dev/1Panel/releases/tag/v1.5.0 | Product, Release Notes | |
| security-advisories@github.com | https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-hf7j-xj3w-87g4 | Exploit, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/1Panel-dev/1Panel/releases/tag/v1.5.0 | Product, Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-hf7j-xj3w-87g4 | Exploit, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:fit2cloud:1panel:1.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "9FB1DBC8-57BC-4F73-AB3E-E87FABCFDBCF",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "1Panel is an open source Linux server operation and maintenance management panel. In version 1.4.3, an arbitrary file write vulnerability could lead to direct control of the server. In the `api/v1/file.go` file, there is a function called `SaveContentthat,It `recieves JSON data sent by users in the form of a POST request. And the lack of parameter filtering allows for arbitrary file write operations. Version 1.5.0 contains a patch for this issue."
},
{
"lang": "es",
"value": "1Panel es un panel de gesti\u00f3n de operaci\u00f3n y mantenimiento de servidores Linux de c\u00f3digo abierto. En la versi\u00f3n 1.4.3, una vulnerabilidad de escritura de archivos arbitraria podr\u00eda llevar al control directo del servidor. En el archivo `api/v1/file.go`, hay una funci\u00f3n llamada `SaveContent que `recibe datos JSON enviados por los usuarios en forma de solicitud POST. Y la falta de filtrado de par\u00e1metros permite operaciones de escritura de archivos arbitrarias. La versi\u00f3n 1.5.0 contiene un parche para este problema."
}
],
"id": "CVE-2023-39966",
"lastModified": "2024-11-21T08:16:08.343",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-08-10T18:15:11.550",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Product",
"Release Notes"
],
"url": "https://github.com/1Panel-dev/1Panel/releases/tag/v1.5.0"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-hf7j-xj3w-87g4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product",
"Release Notes"
],
"url": "https://github.com/1Panel-dev/1Panel/releases/tag/v1.5.0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-hf7j-xj3w-87g4"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
GHSA-HF7J-XJ3W-87G4
Vulnerability from github – Published: 2023-08-10 20:09 – Updated: 2023-08-10 20:09
VLAI?
Summary
1Panel arbitrary file write vulnerability
Details
Summary
An arbitrary file write vulnerability could lead to direct control of the server
Details
Arbitrary file creation
In the api/v1/file.go file, there is a function called SaveContentthat,It recieves JSON data sent by users in the form of a POST request. And the lack of parameter filtering allows for arbitrary file write operations.It looks like this:
- Vulnerable Code
PoC
- We can write the SSH public key into the /etc/.root/authorized_keys configuration file on the server.
-
The server was successfully written to the public key
-
Successfully connected to the target server using an SSH private key.
As a result, the server is directly controlled, causing serious harm
Impact
1Panel v1.4.3
Severity ?
7.5 (High)
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/1Panel-dev/1Panel"
},
"ranges": [
{
"events": [
{
"introduced": "1.4.3"
},
{
"fixed": "1.5.0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.4.3"
]
}
],
"aliases": [
"CVE-2023-39966"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": true,
"github_reviewed_at": "2023-08-10T20:09:47Z",
"nvd_published_at": "2023-08-10T18:15:11Z",
"severity": "HIGH"
},
"details": "# Summary\nAn arbitrary file write vulnerability could lead to direct control of the server\n# Details\n## Arbitrary file creation\nIn the api/v1/file.go file, there is a function called SaveContentthat,It recieves JSON data sent by users in the form of a POST request. And the lack of parameter filtering allows for arbitrary file write operations.It looks like this:\n\n- Vulnerable Code\n\n\n\n# PoC\n\n- We can write the SSH public key into the /etc/.root/authorized_keys configuration file on the server.\n\n\n\n- The server was successfully written to the public key\n\n\n- Successfully connected to the target server using an SSH private key.\n\n\n\nAs a result, the server is directly controlled, causing serious **harm**\n\n\n# Impact\n1Panel v1.4.3\n",
"id": "GHSA-hf7j-xj3w-87g4",
"modified": "2023-08-10T20:09:47Z",
"published": "2023-08-10T20:09:47Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-hf7j-xj3w-87g4"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39966"
},
{
"type": "PACKAGE",
"url": "https://github.com/1Panel-dev/1Panel"
},
{
"type": "WEB",
"url": "https://github.com/1Panel-dev/1Panel/releases/tag/v1.5.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "1Panel arbitrary file write vulnerability"
}
GSD-2023-39966
Vulnerability from gsd - Updated: 2023-12-13 01:20Details
1Panel is an open source Linux server operation and maintenance management panel. In version 1.4.3, an arbitrary file write vulnerability could lead to direct control of the server. In the `api/v1/file.go` file, there is a function called `SaveContentthat,It `recieves JSON data sent by users in the form of a POST request. And the lack of parameter filtering allows for arbitrary file write operations. Version 1.5.0 contains a patch for this issue.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2023-39966",
"id": "GSD-2023-39966"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2023-39966"
],
"details": "1Panel is an open source Linux server operation and maintenance management panel. In version 1.4.3, an arbitrary file write vulnerability could lead to direct control of the server. In the `api/v1/file.go` file, there is a function called `SaveContentthat,It `recieves JSON data sent by users in the form of a POST request. And the lack of parameter filtering allows for arbitrary file write operations. Version 1.5.0 contains a patch for this issue.",
"id": "GSD-2023-39966",
"modified": "2023-12-13T01:20:33.300047Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2023-39966",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "1Panel",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "= 1.4.3"
}
]
}
}
]
},
"vendor_name": "1Panel-dev"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "1Panel is an open source Linux server operation and maintenance management panel. In version 1.4.3, an arbitrary file write vulnerability could lead to direct control of the server. In the `api/v1/file.go` file, there is a function called `SaveContentthat,It `recieves JSON data sent by users in the form of a POST request. And the lack of parameter filtering allows for arbitrary file write operations. Version 1.5.0 contains a patch for this issue."
}
]
},
"impact": {
"cvss": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"cweId": "CWE-862",
"lang": "eng",
"value": "CWE-862: Missing Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-hf7j-xj3w-87g4",
"refsource": "MISC",
"url": "https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-hf7j-xj3w-87g4"
},
{
"name": "https://github.com/1Panel-dev/1Panel/releases/tag/v1.5.0",
"refsource": "MISC",
"url": "https://github.com/1Panel-dev/1Panel/releases/tag/v1.5.0"
}
]
},
"source": {
"advisory": "GHSA-hf7j-xj3w-87g4",
"discovery": "UNKNOWN"
}
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:fit2cloud:1panel:1.4.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2023-39966"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "1Panel is an open source Linux server operation and maintenance management panel. In version 1.4.3, an arbitrary file write vulnerability could lead to direct control of the server. In the `api/v1/file.go` file, there is a function called `SaveContentthat,It `recieves JSON data sent by users in the form of a POST request. And the lack of parameter filtering allows for arbitrary file write operations. Version 1.5.0 contains a patch for this issue."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/1Panel-dev/1Panel/releases/tag/v1.5.0",
"refsource": "MISC",
"tags": [
"Product",
"Release Notes"
],
"url": "https://github.com/1Panel-dev/1Panel/releases/tag/v1.5.0"
},
{
"name": "https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-hf7j-xj3w-87g4",
"refsource": "MISC",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-hf7j-xj3w-87g4"
}
]
}
},
"impact": {
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9
}
},
"lastModifiedDate": "2023-09-08T16:56Z",
"publishedDate": "2023-08-10T18:15Z"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…