CVE-2024-24765 — Sensitive Information Exposure in Casaos-userservice

CWE-200 — Sensitive Information Exposure4 documents3 sources

Severity

9.8CRITICALNVD

EPSS

0.5%

top 35.75%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Icewhaletech Casaos-userservice Github.com Icewhaletech Casaos-userservice Icewhale Casaos

Timeline

PublishedMar 6

Latest updateMar 11

Description

CasaOS-UserService provides user management functionalities to CasaOS. Prior to version 0.4.7, path filtering of the URL for user avatar image files was not strict, making it possible to get any file on the system. This could allow an unauthorized actor to access, for example, the CasaOS user database, and possibly obtain system root privileges. Version 0.4.7 fixes this issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶CVEListV5icewhaletech/casaos-userservice< 0.4.7

▶Gogithub.com/icewhaletech_casaos-userservice< 0.4.7

▶NVDicewhale/casaos< 0.4.7

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Path traversal and user privilege escalation in github.com/IceWhaleTech/CasaOS-UserService↗2024-03-11

▶

GHSA

CasaOS-UserService allows unauthorized access to any file↗2024-03-06

▶

OSV

CasaOS-UserService allows unauthorized access to any file↗2024-03-06

▶