Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/pterodactyl/wings: CVE-2023-25152 #1545

Closed
GoVulnBot opened this issue Feb 8, 2023 · 1 comment
Closed

x/vulndb: potential Go vuln in github.com/pterodactyl/wings: CVE-2023-25152 #1545

GoVulnBot opened this issue Feb 8, 2023 · 1 comment
Labels
duplicate

Comments

@GoVulnBot
Copy link

CVE-2023-25152 references github.com/pterodactyl/wings, which may be a Go module.

Description:
Wings is Pterodactyl's server control plane. Affected versions are subject to a vulnerability which can be used to create new files and directory structures on the host system that previously did not exist, potentially allowing attackers to change their resource allocations, promote their containers to privileged mode, or potentially add ssh authorized keys to allow the attacker access to a remote shell on the target machine. In order to use this exploit, an attacker must have an existing "server" allocated and controlled by the Wings Daemon. This vulnerability has been resolved in version v1.11.3 of the Wings Daemon, and has been back-ported to the 1.7 release series in v1.7.3. Anyone running v1.11.x should upgrade to v1.11.3 and anyone running v1.7.x should upgrade to v1.7.3. There are no known workarounds for this vulnerability. ### Workarounds None at this time.

References:

Cross references:

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: github.com/pterodactyl/wings
    packages:
      - package: wings
description: |
    Wings is Pterodactyl's server control plane. Affected versions are subject to a vulnerability which can be used to create new files and directory structures on the host system that previously did not exist, potentially allowing attackers to change their resource allocations, promote their containers to privileged mode, or potentially add ssh authorized keys to allow the attacker access to a remote shell on the target machine. In order to use this exploit, an attacker must have an existing "server" allocated and controlled by the Wings Daemon. This vulnerability has been resolved in version `v1.11.3` of the Wings Daemon, and has been back-ported to the 1.7 release series in `v1.7.3`. Anyone running `v1.11.x` should upgrade to `v1.11.3` and anyone running `v1.7.x` should upgrade to `v1.7.3`. There are no known workarounds for this vulnerability. ### Workarounds None at this time.
cves:
  - CVE-2023-25152
references:
  - web: https://github.com/pterodactyl/wings/security/advisories/GHSA-p8r3-83r8-jwj5
  - fix: https://github.com/pterodactyl/wings/commit/dac9685298c3c1c49b3109fa4241aa88272b9f14
@tatianab
Copy link
Contributor

Duplicate of #1542

@tatianab tatianab marked this as a duplicate of #1542 Feb 10, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
duplicate
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tatianab @GoVulnBot