CVE-2024-24765

Опубликовано: 06 мар. 2024

Источник: nvd

CVSS3: 7.5

CVSS3: 9.8

EPSS Низкий

Описание

CasaOS-UserService provides user management functionalities to CasaOS. Prior to version 0.4.7, path filtering of the URL for user avatar image files was not strict, making it possible to get any file on the system. This could allow an unauthorized actor to access, for example, the CasaOS user database, and possibly obtain system root privileges. Version 0.4.7 fixes this issue.

Ссылки

https://github.com/IceWhaleTech/CasaOS-UserService/commit/3f4558e23c0a9958f9a0e20aabc64aa8fd51840e
Patch
https://github.com/IceWhaleTech/CasaOS-UserService/releases/tag/v0.4.7
Release Notes
https://github.com/IceWhaleTech/CasaOS-UserService/security/advisories/GHSA-h5gf-cmm8-cg7c
Exploit
Vendor Advisory
https://github.com/IceWhaleTech/CasaOS-UserService/commit/3f4558e23c0a9958f9a0e20aabc64aa8fd51840e
Patch
https://github.com/IceWhaleTech/CasaOS-UserService/releases/tag/v0.4.7
Release Notes
https://github.com/IceWhaleTech/CasaOS-UserService/security/advisories/GHSA-h5gf-cmm8-cg7c
Exploit
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:o:icewhale:casaos:*:*:*:*:*:*:*:*

Версия до 0.4.7 (исключая)

EPSS

Процентиль: 64%

0.00461

Низкий

7.5 High

CVSS3

9.8 Critical

CVSS3

Дефекты

CWE-200

NVD-CWE-noinfo

Связанные уязвимости

GHSA-h5gf-cmm8-cg7c

CVSS3: 7.5

github

почти 2 года назад

CasaOS-UserService allows unauthorized access to any file

EPSS

Процентиль: 64%

0.00461

Низкий

7.5 High

CVSS3

9.8 Critical

CVSS3

Дефекты

CWE-200

NVD-CWE-noinfo