9.8

CVE-2023-37265

Exploit

Incorrect identification of source IP addresses in CasaOS

CasaOS is an open-source Personal Cloud system. Due to a lack of IP address verification an unauthenticated attackers can execute arbitrary commands as `root` on CasaOS instances. The problem was addressed by improving the detection of client IP addresses in `391dd7f`. This patch is part of CasaOS 0.4.4. Users should upgrade to CasaOS 0.4.4. If they can't, they should temporarily restrict access to CasaOS to untrusted users, for instance by not exposing it publicly.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
IcewhaleCasaos Version < 0.4.4
IcewhaleCasaos Version0.4.4 Updatealpha1
IcewhaleCasaos Version0.4.4 Updatealpha2
IcewhaleCasaos Version0.4.4 Updatealpha3
IcewhaleCasaos Version0.4.4 Updatealpha4
IcewhaleCasaos Version0.4.4 Updatealpha5
IcewhaleCasaos-gateway Version < 0.4.4
IcewhaleCasaos-gateway Version0.4.4 Updatealpha1
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 6.36% 0.928
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-306 Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

https://github.com/IceWhaleTech/CasaOS-Gateway/commit/391dd7f0f239020c46bf057cfa25f82031fc15f7
Patch
https://github.com/IceWhaleTech/CasaOS-Gateway/security/advisories/GHSA-vjh7-5r6x-xh6g
Patch
Vendor Advisory
https://www.sonarsource.com/blog/security-vulnerabilities-in-casaos
Third Party Advisory
Exploit