CVE-2023-39964

Опубликовано: 10 авг. 2023

Источник: nvd

CVSS3: 7.5

EPSS Низкий

Описание

1Panel is an open source Linux server operation and maintenance management panel. In version 1.4.3, arbitrary file reads allow an attacker to read arbitrary important configuration files on the server. In the api/v1/file.go file, there is a function called LoadFromFile, which directly reads the file by obtaining the requested path parameter[path]. The request parameters are not filtered, resulting in a background arbitrary file reading vulnerability. Version 1.5.0 has a patch for this issue.

Ссылки

https://github.com/1Panel-dev/1Panel/releases/tag/v1.5.0
Product
Release Notes
https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-pv7q-v9mv-9mh5
Exploit
Vendor Advisory
https://github.com/1Panel-dev/1Panel/releases/tag/v1.5.0
Product
Release Notes
https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-pv7q-v9mv-9mh5
Exploit
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:fit2cloud:1panel:1.4.3:*:*:*:*:*:*:*

EPSS

Процентиль: 46%

0.00236

Низкий

7.5 High

CVSS3

Дефекты

CWE-22

Связанные уязвимости

GHSA-pv7q-v9mv-9mh5