Command Injection Vulnerability in 1Panel Product
CVE-2024-2352

9.8CRITICAL

Key Information:

Vendor

1Panel

Status
1panel
Vendor
CVE Published:
10 March 2024

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC

What is CVE-2024-2352?

A vulnerability has been identified in the 1Panel application, specifically within the baseApi.UpdateDeviceSwap function of the API. This issue arises from improper handling of the Path argument during the device update operation, allowing attackers to inject arbitrary commands. By manipulating the input, such as sending a command to open an application remotely, an attacker could potentially execute unauthorized commands on the server hosting the application. This vulnerability can be exploited without authentication, necessitating immediate attention from users of affected versions. Deployment of a patch is strongly recommended to mitigate the risk associated with this vulnerability.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

1Panel 1.10.1-lts

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-2352 - Proof of Concept

References

https://vuldb.com/?id.256304
vdb-entrytechnical-description
https://vuldb.com/?ctiid.256304
signaturepermissions-required
https://github.com/1Panel-dev/1Panel/pull/4131
issue-tracking

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

Credit

linyz-tel (VulDB User)
JSON
.