Wings vulnerable to escape to host from installation container
CVE-2023-32080

9.1CRITICAL

Key Information:

Vendor

Pterodactyl

Status
Wings
Vendor
CVE Published:
10 May 2023

What is CVE-2023-32080?

Wings, the server control plane for Pterodactyl Panel, contains a vulnerability that affects users running versions prior to 1.7.5 and 1.11.0 before 1.11.6. This flaw allows attackers with the ability to modify install scripts or execute user-supplied code to gain access to the host system running Wings. Upgrading to version 1.11.6 or 1.7.5 is crucial, as this vulnerability empowers malicious users who can exploit compromised administrator accounts on the Panel. Although using a rootless container runtime may provide some mitigation, most users operate with container runtimes running as root, increasing risk. Considering SELinux may limit some operations, privileged containers still possess significant freedom, which exacerbates the potential for exploitation.

Affected Version(s)

wings < 1.7.5 < 1.7.5

wings >= 1.11.0, < 1.11.6 < 1.11.0, 1.11.6

References

https://github.com/pterodactyl/wings/security/advisories/...
x_refsource_CONFIRM
https://github.com/pterodactyl/wings/releases/tag/v1.11.6
x_refsource_MISC
https://github.com/pterodactyl/wings/releases/tag/v1.17.5
x_refsource_MISC

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.