Security Advisories: GSA_kwCzR0hTQS1oZjdqLXhqM3ctODdnNM4AA1OF

1Panel arbitrary file write vulnerability

Summary

An arbitrary file write vulnerability could lead to direct control of the server

Details

Arbitrary file creation

In the api/v1/file.go file, there is a function called SaveContentthat,It recieves JSON data sent by users in the form of a POST request. And the lack of parameter filtering allows for arbitrary file write operations.It looks like this:

• Vulnerable Code

PoC

• We can write the SSH public key into the /etc/.root/authorized_keys configuration file on the server.

• The server was successfully written to the public key
  

• Successfully connected to the target server using an SSH private key.
  
  

As a result, the server is directly controlled, causing serious harm

Impact

1Panel v1.4.3

Permalink: https://github.com/advisories/GHSA-hf7j-xj3w-87g4
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1oZjdqLXhqM3ctODdnNM4AA1OF
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 1 year ago
Updated: about 1 year ago

CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS Percentage: 0.00265
EPSS Percentile: 0.65287

Identifiers: GHSA-hf7j-xj3w-87g4, CVE-2023-39966
References:

• https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-hf7j-xj3w-87g4
• https://nvd.nist.gov/vuln/detail/CVE-2023-39966
• https://github.com/1Panel-dev/1Panel/releases/tag/v1.5.0
• https://github.com/advisories/GHSA-hf7j-xj3w-87g4

Repository: https://github.com/1Panel-dev/1Panel
Blast Radius: 1.0

Affected Packages