Lucene search

GitHub Advisory DatabaseGHSA-26W3-Q4J8-4XJP

HistoryMar 06, 2024 - 3:29 p.m.

1Panel open source panel project has an unauthorized vulnerability.

2024-03-0615:29:11

CWE-863

GitHub Advisory Database

github.com

1panel

open source

unauthorized vulnerability

browser access

burp interception

affected versions

patched

upgrade recommendation

references

security advisory

6.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

7 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.0%

JSON

Impact

The steps are as follows:

Access https://IP:PORT/ in the browser, which prompts the user to access with a secure entry point.
Use Burp to intercept:

When opening the browser and entering the URL (allowing the first intercepted packet through Burp), the following is displayed:

It is found that in this situation, we can access the console page (although no data is returned and no modification operations can be performed)."

Affected versions: <= 1.10.0-lts

Patches

The vulnerability has been fixed in v1.10.1-lts.

Workarounds

It is recommended to upgrade the version to 1.10.1-lts.

References

If you have any questions or comments about this advisory:

Open an issue in https://github.com/1Panel-dev/1Panel
Email us at [email protected]

Affected configurations

Vulners

Node

github.com\/1paneldev\/1panelRange≤1.10.0-lts

CPENameOperatorVersion
github.com/1panel-dev/1panelle1.10.0-lts

CPE	Name	Operator	Version
	github.com/1panel-dev/1panel	le	1.10.0-lts