CVE-2024-34066 – github.com/pterodactyl/wings

Package

Manager: go
Name: github.com/pterodactyl/wings
Vulnerable Version: >=0 <1.11.12

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: 0.00249 pctl0.48027

Details

Pterodactyl Wings vulnerable to Arbitrary File Write/Read ### Impact If the Wings token is leaked either by viewing the node configuration or posting it accidentally somewhere, an attacker can use it to gain arbitrary file write and read access on the node the token is associated to. ### Workarounds Enabling the `ignore_panel_config_updates` option or updating to the latest version of Wings are the only known workarounds. ### Patches https://github.com/pterodactyl/wings/commit/5415f8ae07f533623bd8169836dd7e0b933964de

Metadata

Created: 2024-05-03T20:28:10Z
Modified: 2024-05-03T20:28:10Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-gqmf-jqgv-v8fw/GHSA-gqmf-jqgv-v8fw.json
CWE IDs: ["CWE-552"]
Alternative ID: GHSA-gqmf-jqgv-v8fw
Finding: F123
Auto approve: 1