CVE-2023-37477

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-37477

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-37477.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-37477

Aliases

Related

GHSA-p9xf-74xh-mhw5

Published

2023-07-18T19:15:09Z

Modified

2025-01-15T04:55:51.949146Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

1Panel is an open source Linux server operation and maintenance management panel. An OS command injection vulnerability exists in 1Panel firewall functionality. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability. 1Panel firewall functionality /hosts/firewall/ip endpoint read user input without validation, the attacker extends the default functionality of the application, which execute system commands. An attacker can execute arbitrary code on the target system, which can lead to a complete compromise of the system. This issue has been addressed in commit e17b80cff49 which is included in release version 1.4.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.

References

Affected packages

Git / github.com/1panel-dev/1panel

Affected ranges

Type: GIT
Repo: https://github.com/1panel-dev/1panel
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

e17b80cff4975ee343568ff526b62319f499005d

Fixed

e17b80cff4975ee343568ff526b62319f499005d

Affected versions

v1.*

v1.0.0

v1.0.1

v1.0.2

v1.0.3

v1.0.4

v1.0.5

v1.1.0

v1.1.1

v1.1.2

v1.1.3

v1.2.0

v1.2.1

v1.2.2

v1.2.3

v1.3.0

v1.3.1

v1.3.2

v1.3.3

v1.4.0

v1.4.1

v1.4.2