GHSA-x2vg-5wrf-vj6v
Suggest an improvement- Source
- https://github.com/advisories/GHSA-x2vg-5wrf-vj6v
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-x2vg-5wrf-vj6v/GHSA-x2vg-5wrf-vj6v.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-x2vg-5wrf-vj6v
- Aliases
- Published
- 2024-03-10T03:30:45Z
- Modified
- 2024-06-04T16:56:41.720865Z
- Severity
-
- 6.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
- Summary
- 1Panel is vulnerable to command injection
- Details
-
1Panel is vulnerable to command injection. This vulnerability has been classified as critical, has been found in 1Panel up to 1.10.1-lts. Affected by this issue is the function baseApi.UpdateDeviceSwap of the file /api/v1/toolbox/device/update/swap. The manipulation of the argument Path with the input 123123123\nopen -a Calculator leads to command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-256304.
- Database specific
{ "nvd_published_at": "2024-03-10T02:16:08Z", "cwe_ids": [ "CWE-77" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2024-03-11T14:00:13Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2024-2352
- https://github.com/1Panel-dev/1Panel/pull/4131
- https://github.com/1Panel-dev/1Panel/pull/4131#issue-2176105990
- https://github.com/1Panel-dev/1Panel/pull/4131/commits/0edd7a9f6f5100aab98a0ea6e5deedff7700396c
- https://github.com/1Panel-dev/1Panel
- https://vuldb.com/?ctiid.256304
- https://vuldb.com/?id.256304
Affected packages
Go / github.com/1Panel-dev/1Panel
Package
- Name
- github.com/1Panel-dev/1Panel
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/1Panel-dev/1Panel