Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/vulndb: potential Go vuln in github.com/pterodactyl/wings: CVE-2024-27102 #2676

Closed
GoVulnBot opened this issue Apr 3, 2024 · 1 comment

Comments

@GoVulnBot
Copy link

CVE-2024-27102 references github.com/pterodactyl/wings, which may be a Go module.

Description:
Wings is the server control plane for Pterodactyl Panel. This vulnerability impacts anyone running the affected versions of Wings. The vulnerability can potentially be used to access files and directories on the host system. The full scope of impact is exactly unknown, but reading files outside of a server's base directory (sandbox root) is possible. In order to use this exploit, an attacker must have an existing "server" allocated and controlled by Wings. Details on the exploitation of this vulnerability are embargoed until March 27th, 2024 at 18:00 UTC. In order to mitigate this vulnerability, a full rewrite of the entire server filesystem was necessary. Because of this, the size of the patch is massive, however effort was made to reduce the amount of breaking changes. Users are advised to update to version 1.11.9. There are no known workarounds for this vulnerability.

References:

Cross references:

See doc/triage.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/pterodactyl/wings
      vulnerable_at: 1.11.11
      packages:
        - package: wings
cves:
    - CVE-2024-27102
references:
    - advisory: https://github.com/pterodactyl/wings/security/advisories/GHSA-494h-9924-xww9
    - fix: https://github.com/pterodactyl/wings/commit/d1c0ca526007113a0f74f56eba99511b4e989287

@tatianab
Copy link
Contributor

tatianab commented Apr 3, 2024

Duplicate of #2642

@tatianab tatianab marked this as a duplicate of #2642 Apr 3, 2024
@tatianab tatianab closed this as completed Apr 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants