CVE-2023-25168Link Following in Wings

CWE-59Link Following4 documents3 sources
Severity
8.2HIGHNVD
EPSS
0.8%
top 26.36%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Pterodactyl WingsGithub.com Pterodactyl Wings
Timeline
PublishedFeb 9
Latest updateAug 20

Description

Wings is Pterodactyl's server control plane. This vulnerability can be used to delete files and directories recursively on the host system. This vulnerability can be combined with `GHSA-p8r3-83r8-jwj5` to overwrite files on the host system. In order to use this exploit, an attacker must have an existing "server" allocated and controlled by Wings. This vulnerability has been resolved in version `v1.11.4` of Wings, and has been back-ported to the 1.7 release series in `v1.7.4`. Anyone running `v1.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:HExploitability: 1.8 | Impact: 5.8

Affected Packages3 packages

CVEListV5pterodactyl/wings< 1.7.4+1
NVDpterodactyl/wings1.7.01.7.4+4
Gogithub.com/pterodactyl_wings1.11.01.11.4+1

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

3
OSV
Pterodactyl Wings contains UNIX Symbolic Link (Symlink) Following resulting in deletion of files and directories on the host system in github.com/pterodactyl/wings2024-08-20
GHSA
Pterodactyl Wings contains UNIX Symbolic Link (Symlink) Following resulting in deletion of files and directories on the host system2023-02-10
OSV
Pterodactyl Wings contains UNIX Symbolic Link (Symlink) Following resulting in deletion of files and directories on the host system2023-02-10