CVE-2023-25152Link Following in Pterodactyl Wings

CWE-59Link FollowingCWE-61UNIX Symbolic Link (Symlink) Following6 documents4 sources
Severity
8.8HIGHNVD
EPSS
0.8%
top 25.76%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Github.com Pterodactyl WingsPterodactyl WingsMozilla Thunderbird
Timeline
PublishedFeb 8
Latest updateAug 20

Description

Wings is Pterodactyl's server control plane. Affected versions are subject to a vulnerability which can be used to create new files and directory structures on the host system that previously did not exist, potentially allowing attackers to change their resource allocations, promote their containers to privileged mode, or potentially add ssh authorized keys to allow the attacker access to a remote shell on the target machine. In order to use this exploit, an attacker must have an existing "serve

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages4 packages

NVDpterodactyl/wings< 1.7.3+3
Gogithub.com/pterodactyl_wings1.11.01.11.3+1
CVEListV5pterodactyl/wings>= 1.11.0, < 1.11.3
Ubuntumozilla/thunderbird< 1:102.9.0+build1-0ubuntu0.18.04.1+2

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

4
OSV
Pterodactyl Wings contains UNIX Symbolic Link (Symlink) Following in github.com/pterodactyl/wings2024-08-20
OSV
thunderbird vulnerabilities2023-03-27
OSV
Pterodactyl Wings contains UNIX Symbolic Link (Symlink) Following2023-02-08
GHSA
Pterodactyl Wings contains UNIX Symbolic Link (Symlink) Following2023-02-08

📋Vendor Advisories

1
Ubuntu
Thunderbird vulnerabilities2023-03-27
CVE-2023-25152 — Link Following in Pterodactyl Wings | cvebase