CVE-2024-34352

1Panel is an open source Linux server operation and maintenance management panel. Prior to v1.10.3-lts, there are many command injections in the project, and some of them are not well filtered, leading to arbitrary file writes, and ultimately leading to RCEs. The mirror configuration write symbol `>` can be used to achieve arbitrary file writing. This vulnerability is fixed in v1.10.3-lts.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-f8ch-w75v-c847
https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-f8ch-w75v-c847

Configurations

No configuration.

History

21 Nov 2024, 09:18

Type	Values Removed	Values Added
References	~~() https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-f8ch-w75v-c847 -~~	() https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-f8ch-w75v-c847 -
Summary		(es) 1Panel es un panel de gestión de operación y mantenimiento de servidores Linux de código abierto. Antes de v1.10.3-lts, había muchas inyecciones de comandos en el proyecto y algunas de ellas no estaban bien filtradas, lo que provocaba escrituras de archivos arbitrarias y, en última instancia, RCE. El símbolo de escritura de configuración espejo `>` se puede utilizar para lograr la escritura de archivos arbitraria. Esta vulnerabilidad se solucionó en v1.10.3-lts.

14 May 2024, 15:38

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-05-14 15:38

Updated : 2024-11-21 09:18

NVD link : CVE-2024-34352

Mitre link : CVE-2024-34352

CVE.ORG link : CVE-2024-34352

JSON object : View

Products Affected

No product.

CWE

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

6.5 /10