Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/1Panel-dev/1Panel: CVE-2023-37477 #1940

Closed
GoVulnBot opened this issue Jul 18, 2023 · 2 comments
Closed

x/vulndb: potential Go vuln in github.com/1Panel-dev/1Panel: CVE-2023-37477 #1940

GoVulnBot opened this issue Jul 18, 2023 · 2 comments
Assignees
@neild
Labels
excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module.

Comments

@GoVulnBot
Copy link

CVE-2023-37477 references github.com/1Panel-dev/1Panel, which may be a Go module.

Description:
1Panel is an open source Linux server operation and maintenance management panel. An OS command injection vulnerability exists in 1Panel firewall functionality. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability. 1Panel firewall functionality /hosts/firewall/ip endpoint read user input without validation, the attacker extends the default functionality of the application, which execute system commands. An attacker can execute arbitrary code on the target system, which can lead to a complete compromise of the system. This issue has been addressed in commit e17b80cff49 which is included in release version 1.4.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.

References:

Cross references:

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/1Panel-dev/1Panel
      vulnerable_at: 1.4.3
      packages:
        - package: 1Panel
description: |-
    1Panel is an open source Linux server operation and maintenance management
    panel. An OS command injection vulnerability exists in 1Panel firewall
    functionality. A specially-crafted HTTP request can lead to arbitrary command
    execution. An attacker can make an authenticated HTTP request to trigger this
    vulnerability. 1Panel firewall functionality `/hosts/firewall/ip` endpoint read
    user input without validation, the attacker extends the default functionality of
    the application, which execute system commands. An attacker can execute
    arbitrary code on the target system, which can lead to a complete compromise of
    the system. This issue has been addressed in commit `e17b80cff49` which is
    included in release version `1.4.3`. Users are advised to upgrade. There are no
    known workarounds for this vulnerability.
cves:
    - CVE-2023-37477
references:
    - advisory: https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-p9xf-74xh-mhw5
    - fix: https://github.com/1Panel-dev/1Panel/commit/e17b80cff4975ee343568ff526b62319f499005d
@neild neild self-assigned this Jul 25, 2023
@neild neild added the excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module. label Jul 25, 2023
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/513195 mentions this issue: data/excluded: batch add 26 excluded reports

This was referenced Aug 10, 2023
Closed
Closed
Closed
@GoVulnBot GoVulnBot mentioned this issue Feb 5, 2024
Closed
This was referenced Mar 6, 2024
Closed
Closed
Closed
@GoVulnBot GoVulnBot mentioned this issue Apr 3, 2024
Closed
@GoVulnBot GoVulnBot mentioned this issue Apr 18, 2024
Closed
@GoVulnBot GoVulnBot mentioned this issue May 9, 2024
Closed
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/592762 mentions this issue: data/reports: unexclude 75 reports

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@neild neild

Labels
excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@neild @gopherbot @GoVulnBot