Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS01Z3J4LXY3MjctcW1xNs4AA9_l

1Panel has an SQL injection issue related to the orderBy clause

Summary

There are many sql injections in the project, and some of them are not well filtered, leading to arbitrary file writes, and ultimately leading to RCEs.
The proof is as follows

Details （one of them ）

PoC

curl 'http://api:30455/api/v1/hosts/command/search' {"page":1,"pageSize":10,"groupID":0,"orderBy":"3","order":"ascending","name":"a"}

for example as picture . just change orderby‘s num we can know How many columns does the data table have.Parameters require strict whitelist filtering

Impact

RCE、data leak.

Permalink: https://github.com/advisories/GHSA-5grx-v727-qmq6
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01Z3J4LXY3MjctcW1xNs4AA9_l
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: about 2 months ago
Updated: about 1 month ago

CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Identifiers: GHSA-5grx-v727-qmq6, CVE-2024-39907
References:

Repository: https://github.com/1Panel-dev/1Panel
Blast Radius: 1.0

Affected Packages

go:github.com/1Panel-dev/1Panel

Dependent packages: 1
Dependent repositories: 0
Downloads:
Affected Version Ranges: < 1.10.12-tls
Fixed in: 1.10.12-tls
All affected versions: 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.6.0, 1.6.1, 1.6.2, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.7.4, 1.8.0, 1.8.1, 1.8.2, 1.8.3, 1.8.4, 1.8.5, 1.9.0, 1.9.1, 1.9.2, 1.9.3, 1.9.4, 1.9.5, 1.9.6
All unaffected versions: