GHSA-6rg3-8h8x-5xfv
Suggest an improvement- Source
- https://github.com/advisories/GHSA-6rg3-8h8x-5xfv
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-6rg3-8h8x-5xfv/GHSA-6rg3-8h8x-5xfv.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-6rg3-8h8x-5xfv
- Aliases
- Related
- Published
- 2021-06-23T18:04:50Z
- Modified
- 2025-01-14T12:27:30.321808Z
- Severity
-
- 6.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- Unchecked hostname resolution could allow access to local network resources by users outside the local network
- Details
-
Impact
A newly implemented route allowing users to download files from remote endpoints was not properly verifying the destination hostname for user provided URLs. This would allow malicious users to potentially access resources on local networks that would otherwise be inaccessible.
This vulnerability requires valid authentication credentials and is therefore not exploitable by unauthenticated users. If you are running an instance for yourself or other trusted individuals this impact is unlikely to be of major concern to you. However, you should still upgrade for security sake.
Patches
Users should upgrade to the latest version of Wings.
Workarounds
There is no workaround available that does not involve modifying Panel or Wings code.
- Database specific
{ "nvd_published_at": null, "cwe_ids": [ "CWE-284", "CWE-441" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2021-06-23T18:04:30Z" }- References
Affected packages
Go / github.com/pterodactyl/wings
Package
- Name
- github.com/pterodactyl/wings
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/pterodactyl/wings