CVE-2024-27102 — Path Traversal in Pterodactyl Wings

CWE-22 — Path Traversal CWE-362 — Race Condition CWE-363 — Race Condition Enabling Link Following4 documents3 sources

Severity

8.5HIGHNVD

EPSS

0.4%

top 36.62%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Pterodactyl Wings Pterodactyl Wings

Timeline

PublishedMar 13

Latest updateJun 4

Description

Wings is the server control plane for Pterodactyl Panel. This vulnerability impacts anyone running the affected versions of Wings. The vulnerability can potentially be used to access files and directories on the host system. The full scope of impact is exactly unknown, but reading files outside of a server's base directory (sandbox root) is possible. In order to use this exploit, an attacker must have an existing "server" allocated and controlled by Wings. Details on the exploitation of this vul…

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:HExploitability: 1.8 | Impact: 6.0

Affected Packages2 packages

▶NVDpterodactyl/wings< 1.11.9

▶Gogithub.com/pterodactyl_wings< 1.11.9

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Pterodactyl Wings vulnerable to improper isolation of server file access in github.com/pterodactyl/wings↗2024-06-04

▶

OSV

Pterodactyl Wings vulnerable to improper isolation of server file access↗2024-03-15

▶

GHSA

Pterodactyl Wings vulnerable to improper isolation of server file access↗2024-03-15

▶