Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SECURITY: two privilege escalation from regular user to root #1921

Open
cyrus-and opened this issue Jul 29, 2019 · 8 comments

Comments

@cyrus-and
Copy link

commented Jul 29, 2019

(Sorry for the dramatic subject.)

Well, it's really disappointing and unprofessional to come to this...

Two months ago (2019-05-28) I disclosed two privilege escalation vulnerabilities to info@vestacp.com (and eventually also to dev@vestacp.com and skid@vestacp.com), I obtained no useful replies or actions so I'm trying to reach a wider audience by opening an issue here (and no, I won't join the forum).

As today the two vulnerabilities are still undisclosed as I fairly believe that a responsible disclosure approach is the right way to go. Yet we're pushing the boundaries here and I don't think the maintainers are being respectful of the userbase.

So this is my last attempt to get these issues fixed, after that I will disclose them anyway, fixed or not. Users having write access to this repo can reach me privately for details, it's even better if they reply to the original message sent to the above @vestacp.com addresses, provided that they're allowed to do that.

@cantalupo555

This comment has been minimized.

Copy link

commented Aug 3, 2019

I'm following the outcome of this story

@skullwritter

This comment has been minimized.

Copy link
Contributor

commented Aug 5, 2019

@pablobae

This comment has been minimized.

Copy link
Contributor

commented Aug 8, 2019

we need info about how to fix it...

@cyrus-and

This comment has been minimized.

Copy link
Author

commented Aug 12, 2019

Alright, issues are now fixed in master but a new release has not been bumped yet, so...

@ScIT-Raphael

This comment has been minimized.

Copy link

commented Aug 13, 2019

Alright, issues are now fixed in master but a new release has not been bumped yet, so...

Have all this vulnerabilities been fixed?

@attritionorg

This comment has been minimized.

Copy link

commented Aug 15, 2019

@cyrus-and Can you link to the fixing commits please?

@cyrus-and

This comment has been minimized.

Copy link
Author

commented Aug 15, 2019

@attritionorg they're in the writeups, see the timeline.

@attritionorg

This comment has been minimized.

Copy link

commented Aug 15, 2019

@cyrus-and my apologies, I thought those were just announcing the CVE assignments. thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
9 participants
You can’t perform that action at this time.