GHSA-vjh7-5r6x-xh6g
Suggest an improvement- Source
- https://github.com/advisories/GHSA-vjh7-5r6x-xh6g
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-vjh7-5r6x-xh6g/GHSA-vjh7-5r6x-xh6g.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-vjh7-5r6x-xh6g
- Aliases
- Related
- Published
- 2023-07-17T14:36:09Z
- Modified
- 2024-12-12T22:29:30Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- CasaOS Gateway vulnerable to incorrect identification of source IP addresses
- Details
-
Impact
Unauthenticated attackers can execute arbitrary commands as
rooton CasaOS instances.Patches
The problem was addressed by improving the detection of client IP addresses in 391dd7f. This patch is part of CasaOS 0.4.4.
Workarounds
Users should upgrade to CasaOS 0.4.4. If they can't, they should temporarily restrict access to CasaOS to untrusted users, for instance by not exposing it publicly.
References
- 391dd7f
- https://www.sonarsource.com/blog/security-vulnerabilities-in-casaos/
- Database specific
{ "nvd_published_at": "2023-07-17T21:15:09Z", "cwe_ids": [ "CWE-306", "CWE-348" ], "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2023-07-17T14:36:09Z" }- References
-
- https://github.com/IceWhaleTech/CasaOS-Gateway/security/advisories/GHSA-vjh7-5r6x-xh6g
- https://nvd.nist.gov/vuln/detail/CVE-2023-37265
- https://github.com/IceWhaleTech/CasaOS-Gateway/commit/391dd7f0f239020c46bf057cfa25f82031fc15f7
- https://github.com/IceWhaleTech/CasaOS-Gateway
- https://pkg.go.dev/vuln/GO-2023-1932
- https://www.sonarsource.com/blog/security-vulnerabilities-in-casaos
Affected packages
Go / github.com/IceWhaleTech/CasaOS-Gateway
Package
- Name
- github.com/IceWhaleTech/CasaOS-Gateway
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/IceWhaleTech/CasaOS-Gateway