GitHub Advisory DatabaseGHSA-H5GF-CMM8-CG7CCasaOS-UserService allows unauthorized access to any file
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
0.0004 Low
EPSS
Percentile
15.7%
Summary
http://demo.casaos.io/v1/users/image?path=/var/lib/casaos/1/avatar.png
Originally it was to get the url of the user’s avatar, but the path filtering was not strict, making it possible to get any file on the system.
Details
Construct paths to get any file.
Such as the CasaOS user database, and furthermore can obtain system root privileges.
PoC
http://demo.casaos.io/v1/users/image?path=/var/lib/casaos/conf/../db/user.db
Impact
v0.4.6 all previous versions
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| github.com/icewhaletech/casaos-userservice | lt | 0.4.7 |
References
github.com/advisories/GHSA-h5gf-cmm8-cg7c
github.com/IceWhaleTech/CasaOS-UserService/commit/3f4558e23c0a9958f9a0e20aabc64aa8fd51840e
github.com/IceWhaleTech/CasaOS-UserService/releases/tag/v0.4.7
github.com/IceWhaleTech/CasaOS-UserService/security/advisories/GHSA-h5gf-cmm8-cg7c
nvd.nist.gov/vuln/detail/CVE-2024-24765
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
0.0004 Low
EPSS
Percentile
15.7%