Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SECURITY: two privilege escalation from regular user to root #1921

Open
cyrus-and opened this issue Jul 29, 2019 · 10 comments
Open

SECURITY: two privilege escalation from regular user to root #1921

cyrus-and opened this issue Jul 29, 2019 · 10 comments
Assignees
Labels

Comments

@cyrus-and
Copy link

@cyrus-and cyrus-and commented Jul 29, 2019

(Sorry for the dramatic subject.)

Well, it's really disappointing and unprofessional to come to this...

Two months ago (2019-05-28) I disclosed two privilege escalation vulnerabilities to info@vestacp.com (and eventually also to dev@vestacp.com and skid@vestacp.com), I obtained no useful replies or actions so I'm trying to reach a wider audience by opening an issue here (and no, I won't join the forum).

As today the two vulnerabilities are still undisclosed as I fairly believe that a responsible disclosure approach is the right way to go. Yet we're pushing the boundaries here and I don't think the maintainers are being respectful of the userbase.

So this is my last attempt to get these issues fixed, after that I will disclose them anyway, fixed or not. Users having write access to this repo can reach me privately for details, it's even better if they reply to the original message sent to the above @vestacp.com addresses, provided that they're allowed to do that.

@anton-reutov anton-reutov added this to the 0.9.8-24-1 milestone Jul 30, 2019
@cantalupo555
Copy link

@cantalupo555 cantalupo555 commented Aug 3, 2019

I'm following the outcome of this story

Loading

@tlcd96
Copy link
Contributor

@tlcd96 tlcd96 commented Aug 5, 2019

Loading

@pablobae
Copy link
Contributor

@pablobae pablobae commented Aug 8, 2019

we need info about how to fix it...

Loading

@cyrus-and
Copy link
Author

@cyrus-and cyrus-and commented Aug 12, 2019

Alright, issues are now fixed in master but a new release has not been bumped yet, so...

Loading

@ScIT-Raphael
Copy link

@ScIT-Raphael ScIT-Raphael commented Aug 13, 2019

Alright, issues are now fixed in master but a new release has not been bumped yet, so...

Have all this vulnerabilities been fixed?

Loading

@attritionorg
Copy link

@attritionorg attritionorg commented Aug 15, 2019

@cyrus-and Can you link to the fixing commits please?

Loading

@cyrus-and
Copy link
Author

@cyrus-and cyrus-and commented Aug 15, 2019

@attritionorg they're in the writeups, see the timeline.

Loading

@attritionorg
Copy link

@attritionorg attritionorg commented Aug 15, 2019

@cyrus-and my apologies, I thought those were just announcing the CVE assignments. thanks!

Loading

@PecceG2
Copy link

@PecceG2 PecceG2 commented Feb 7, 2020

Good job, this was fixed in the latest release version?

Loading

@noraj
Copy link

@noraj noraj commented Mar 6, 2020

Loading

@anton-reutov anton-reutov removed this from the 0.9.8-24(1) milestone Nov 16, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet