CVE-2024-39907 – github.com/1panel-dev/1panel

Package

Manager: go
Name: github.com/1panel-dev/1panel
Vulnerable Version: >=0 <1.10.12-tls

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.86375 pctl0.99367

Details

1Panel has an SQL injection issue related to the orderBy clause ### Summary There are many sql injections in the project, and some of them are not well filtered, leading to arbitrary file writes, and ultimately leading to RCEs. The proof is as follows ### Details （one of them ） <img width="697" alt="image" src="https://github.com/1Panel-dev/1Panel/assets/129351704/895b7b43-9bc0-44b3-9c84-24c2dcc962da"> <img width="936" alt="image" src="https://github.com/1Panel-dev/1Panel/assets/129351704/1b8eb866-9865-4bef-a359-53335d709157"> <img width="684" alt="image" src="https://github.com/1Panel-dev/1Panel/assets/129351704/e865d6d0-7ecb-49f7-b4a2-f1b0bc407986"> ### PoC curl 'http://api:30455/api/v1/hosts/command/search' {"page":1,"pageSize":10,"groupID":0,"orderBy":"**3**","order":"ascending","name":"a"} <img width="664" alt="image" src="https://github.com/1Panel-dev/1Panel/assets/129351704/250d5a2a-cb32-44dc-9831-86dbc2f2b43f"> for example as picture . just change orderby‘s num we can know How many columns does the data table have.Parameters require strict whitelist filtering ### Impact RCE、data leak.

Metadata

Created: 2024-07-18T14:25:00Z
Modified: 2024-07-24T13:49:36Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-5grx-v727-qmq6/GHSA-5grx-v727-qmq6.json
CWE IDs: ["CWE-89"]
Alternative ID: GHSA-5grx-v727-qmq6
Finding: F297
Auto approve: 1