GHSA-5GRX-V727-QMQ6

Vulnerability from github – Published: 2024-07-18 14:25 – Updated: 2024-07-24 13:49
VLAI?
Summary
1Panel has an SQL injection issue related to the orderBy clause
Details

Summary

There are many sql injections in the project, and some of them are not well filtered, leading to arbitrary file writes, and ultimately leading to RCEs. The proof is as follows

Details (one of them )

image image image

PoC

curl 'http://api:30455/api/v1/hosts/command/search' {"page":1,"pageSize":10,"groupID":0,"orderBy":"3","order":"ascending","name":"a"} image for example as picture . just change orderby‘s num we can know How many columns does the data table have.Parameters require strict whitelist filtering

Impact

RCE、data leak.

Severity ?
9.8 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.3 (Critical)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/1Panel-dev/1Panel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.10.12-tls"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-39907"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-89"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-07-18T14:25:00Z",
    "nvd_published_at": "2024-07-18T16:15:07Z",
    "severity": "CRITICAL"
  },
  "details": "### Summary\nThere are many sql injections in the project, and some of them are not well filtered, leading to arbitrary file writes, and ultimately leading to RCEs.\nThe proof is as follows\n\n### Details \uff08one of them \uff09\n\u003cimg width=\"697\" alt=\"image\" src=\"https://github.com/1Panel-dev/1Panel/assets/129351704/895b7b43-9bc0-44b3-9c84-24c2dcc962da\"\u003e\n\u003cimg width=\"936\" alt=\"image\" src=\"https://github.com/1Panel-dev/1Panel/assets/129351704/1b8eb866-9865-4bef-a359-53335d709157\"\u003e\n\u003cimg width=\"684\" alt=\"image\" src=\"https://github.com/1Panel-dev/1Panel/assets/129351704/e865d6d0-7ecb-49f7-b4a2-f1b0bc407986\"\u003e\n\n\n### PoC\ncurl \u0027http://api:30455/api/v1/hosts/command/search\u0027 {\"page\":1,\"pageSize\":10,\"groupID\":0,\"orderBy\":\"**3**\",\"order\":\"ascending\",\"name\":\"a\"}\n\u003cimg width=\"664\" alt=\"image\" src=\"https://github.com/1Panel-dev/1Panel/assets/129351704/250d5a2a-cb32-44dc-9831-86dbc2f2b43f\"\u003e\nfor example as picture . just change orderby\u2018s num we can know How many columns does the data table have.Parameters require strict whitelist filtering\n\n### Impact\nRCE\u3001data leak.\n",
  "id": "GHSA-5grx-v727-qmq6",
  "modified": "2024-07-24T13:49:36Z",
  "published": "2024-07-18T14:25:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-5grx-v727-qmq6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39907"
    },
    {
      "type": "WEB",
      "url": "https://github.com/1Panel-dev/1Panel/commit/ff549a47937c1314e6ee08453a1d2128242440cd"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/1Panel-dev/1Panel"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "1Panel has an SQL injection issue related to the orderBy clause"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.