CVE-2023-39966 – github.com/1panel-dev/1panel

Package

Manager: go
Name: github.com/1panel-dev/1panel
Vulnerable Version: =1.4.3 || >=1.4.3 <1.5.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00185 pctl0.40446

Details

1Panel arbitrary file write vulnerability # Summary An arbitrary file write vulnerability could lead to direct control of the server # Details ## Arbitrary file creation In the api/v1/file.go file, there is a function called SaveContentthat,It recieves JSON data sent by users in the form of a POST request. And the lack of parameter filtering allows for arbitrary file write operations.It looks like this: - Vulnerable Code  # PoC - We can write the SSH public key into the /etc/.root/authorized_keys configuration file on the server.  - The server was successfully written to the public key  - Successfully connected to the target server using an SSH private key.   As a result, the server is directly controlled, causing serious **harm** # Impact 1Panel v1.4.3

Metadata

Created: 2023-08-10T20:09:47Z
Modified: 2023-08-10T20:09:47Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-hf7j-xj3w-87g4/GHSA-hf7j-xj3w-87g4.json
CWE IDs: ["CWE-862"]
Alternative ID: GHSA-hf7j-xj3w-87g4
Finding: F039
Auto approve: 1