Symbolic Link (Symlink) Following in github.com/pterodactyl/wings
CVE-2023-25152

8.4HIGH

Key Information:

Vendor: Pterodactyl
Status: Wings
Vendor: CVE Published:; 8 February 2023

🔔 Create Pterodactyl Vulnerability Alert

What is CVE-2023-25152?

The Wings Daemon, a critical component of Pterodactyl's server control plane, is susceptible to a vulnerability that enables the creation of new files and directory structures on the host system. This flaw could allow an attacker with access to a controlled server to manipulate resources, elevate their privileges, or insert SSH authorized keys, providing them with unauthorized remote access. Successful exploitation requires an existing server allocation managed by the Wings Daemon. The vulnerability has been patched in version v1.11.3 and back-ported to the 1.7 series in v1.7.3. Users are strongly advised to upgrade immediately, as there are currently no workarounds available.

Affected Version(s)

wings < 1.7.3 < 1.7.3

wings >= 1.11.0, < 1.11.3 < 1.11.0, 1.11.3

References

https://github.com/pterodactyl/wings/security/advisories/...

x_refsource_CONFIRM

https://github.com/pterodactyl/wings/commit/dac9685298c3c...

x_refsource_MISC

CVSS V3.1

Score:

8.4

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 8, 2023
Vulnerability Reserved
Feb 3, 2023