GHSA-m5q5-8mfw-p2hr
Suggest an improvement- Source
- https://github.com/advisories/GHSA-m5q5-8mfw-p2hr
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-m5q5-8mfw-p2hr/GHSA-m5q5-8mfw-p2hr.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-m5q5-8mfw-p2hr
- Aliases
-
- CVE-2023-37266
- GO-2023-1931
- Published
- 2023-07-17T14:40:16Z
- Modified
- 2024-12-12T22:30:02Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- CasaOS contains weak JWT secrets
- Details
-
Impact
Unauthenticated attackers can craft arbitrary JWTs and access features that usually require authentication and execute arbitrary commands as
rooton CasaOS instances.Patches
The problem was addressed by improving the validation of JWTs in 705bf1f. This patch is part of CasaOS 0.4.4.
Workarounds
Users should upgrade to CasaOS 0.4.4. If they can't, they should temporarily restrict access to CasaOS to untrusted users, for instance by not exposing it publicly.
References
- 705bf1f
- https://www.sonarsource.com/blog/security-vulnerabilities-in-casaos/
- Database specific
{ "nvd_published_at": "2023-07-17T21:15:09Z", "cwe_ids": [ "CWE-1391", "CWE-287" ], "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2023-07-17T14:40:16Z" }- References
-
- https://github.com/IceWhaleTech/CasaOS/security/advisories/GHSA-m5q5-8mfw-p2hr
- https://nvd.nist.gov/vuln/detail/CVE-2023-37266
- https://github.com/IceWhaleTech/CasaOS/commit/705bf1facbffd2ca40b159b0303132b6fdf657ad
- https://github.com/IceWhaleTech/CasaOS
- https://pkg.go.dev/vuln/GO-2023-1931
- https://www.sonarsource.com/blog/security-vulnerabilities-in-casaos
Affected packages
Go / github.com/IceWhaleTech/CasaOS
Package
- Name
- github.com/IceWhaleTech/CasaOS
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/IceWhaleTech/CasaOS