CVE-2024-27102

EPSS 0.55%
Veröffentlicht 13.03.2024 21:15:59
Zuletzt bearbeitet 23.01.2025 21:26:54
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Improper isolation of server file access in github.com/pterodactyl/wings

Wings is the server control plane for Pterodactyl Panel. This vulnerability impacts anyone running the affected versions of Wings. The vulnerability can potentially be used to access files and directories on the host system. The full scope of impact is exactly unknown, but reading files outside of a server's base directory (sandbox root) is possible. In order to use this exploit, an attacker must have an existing "server" allocated and controlled by Wings. Details on the exploitation of this vulnerability are embargoed until March 27th, 2024 at 18:00 UTC. In order to mitigate this vulnerability, a full rewrite of the entire server filesystem was necessary. Because of this, the size of the patch is massive, however effort was made to reduce the amount of breaking changes. Users are advised to update to version 1.11.9. There are no known workarounds for this vulnerability.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 3 Referenzen 5

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Pterodactyl ≫ Wings Version < 1.11.9

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.55%	0.413

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.5	1.8	6	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
security-advisories@github.com	9.9	3.1	6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.

CWE-363 Race Condition Enabling Link Following

The product checks the status of a file or directory before accessing it, which produces a race condition in which the file can be replaced with a link before the access is performed, causing the product to access the wrong file.

https://github.com/pterodactyl/wings/commit/d1c0ca526007113a0f74f56eba99511b4e989287

Patch

https://github.com/pterodactyl/wings/security/advisories/GHSA-494h-9924-xww9

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-27102

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-27102

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-27102

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-27102