CVE-2023-25152
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2023-25152
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-25152.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2023-25152
- Aliases
- Related
- Published
- 2023-02-08T19:15:11Z
- Modified
- 2025-01-15T04:44:31.945606Z
- Severity
-
- 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
Wings is Pterodactyl's server control plane. Affected versions are subject to a vulnerability which can be used to create new files and directory structures on the host system that previously did not exist, potentially allowing attackers to change their resource allocations, promote their containers to privileged mode, or potentially add ssh authorized keys to allow the attacker access to a remote shell on the target machine. In order to use this exploit, an attacker must have an existing "server" allocated and controlled by the Wings Daemon. This vulnerability has been resolved in version
v1.11.3of the Wings Daemon, and has been back-ported to the 1.7 release series inv1.7.3. Anyone runningv1.11.xshould upgrade tov1.11.3and anyone runningv1.7.xshould upgrade tov1.7.3. There are no known workarounds for this vulnerability.Workarounds
None at this time.
- References
Affected packages
Git / github.com/pterodactyl/wings
Affected ranges
- Type
- GIT
- Repo
- https://github.com/pterodactyl/wings
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedFixed