Lucene search

GoogleOSV:GO-2024-2616

HistoryMar 11, 2024 - 8:09 p.m.

Path traversal and user privilege escalation in github.com/IceWhaleTech/CasaOS-UserService

2024-03-1120:09:34

Google

osv.dev

userservice

path traversal

privilege escalation

github

icewhaletech

compromise

system

security

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

7.2 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.7%

JSON

The UserService API contains a path traversal vulnerability that allows an attacker to obtain any file on the system, including the user database and system configuration. This can lead to privilege escalation and compromise of the system.

CPENameOperatorVersion
github.com/icewhaletech/casaos-userservicelt0.4.7

CPE	Name	Operator	Version
	github.com/icewhaletech/casaos-userservice	lt	0.4.7

References

github.com/IceWhaleTech/CasaOS-UserService/commit/3f4558e23c0a9958f9a0e20aabc64aa8fd51840e

github.com/IceWhaleTech/CasaOS-UserService/releases/tag/v0.4.7

github.com/IceWhaleTech/CasaOS-UserService/security/advisories/GHSA-h5gf-cmm8-cg7c

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

7.2 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.7%

JSON

Related for OSV:GO-2024-2616