x/vulndb: potential Go vuln in github.com/1Panel-dev/1Panel: CVE-2024-2352 #2674

GoVulnBot · 2024-04-03T11:09:53Z

CVE-2024-2352 references github.com/1Panel-dev/1Panel, which may be a Go module.

Description:
A vulnerability, which was classified as critical, has been found in 1Panel up to 1.10.1-lts. Affected by this issue is the function baseApi.UpdateDeviceSwap of the file /api/v1/toolbox/device/update/swap. The manipulation of the argument Path with the input 123123123\nopen -a Calculator leads to command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-256304.

References:

Cross references:

Module github.com/1Panel-dev/1Panel appears in issue x/vulndb: potential Go vuln in github.com/1Panel-dev/1Panel: CVE-2023-36457 #1887 NOT_IMPORTABLE
Module github.com/1Panel-dev/1Panel appears in issue x/vulndb: potential Go vuln in github.com/1Panel-dev/1Panel: CVE-2023-36458 #1888 EFFECTIVELY_PRIVATE
Module github.com/1Panel-dev/1Panel appears in issue x/vulndb: potential Go vuln in github.com/1Panel-dev/1Panel: CVE-2023-37477 #1940 EFFECTIVELY_PRIVATE
Module github.com/1Panel-dev/1Panel appears in issue x/vulndb: potential Go vuln in github.com/1Panel-dev/1Panel: CVE-2023-39964 #2004 EFFECTIVELY_PRIVATE
Module github.com/1Panel-dev/1Panel appears in issue x/vulndb: potential Go vuln in github.com/1Panel-dev/1Panel: CVE-2023-39965 #2005 EFFECTIVELY_PRIVATE
Module github.com/1Panel-dev/1Panel appears in issue x/vulndb: potential Go vuln in github.com/1Panel-dev/1Panel: CVE-2023-39966 #2006 EFFECTIVELY_PRIVATE
Module github.com/1Panel-dev/1Panel appears in issue x/vulndb: potential Go vuln in github.com/1Panel-dev/1Panel: CVE-2024-24768 #2531 EFFECTIVELY_PRIVATE
Module github.com/1Panel-dev/1Panel appears in issue x/vulndb: potential Go vuln in github.com/1Panel-dev/1Panel: GHSA-26w3-q4j8-4xjp #2613

See doc/triage.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/1Panel-dev/1Panel
      vulnerable_at: 1.9.6
      packages:
        - package: 1Panel
cves:
    - CVE-2024-2352
references:
    - web: https://vuldb.com/?id.256304
    - web: https://vuldb.com/?ctiid.256304
    - fix: https://github.com/1Panel-dev/1Panel/pull/4131
    - fix: https://github.com/1Panel-dev/1Panel/pull/4131#issue-2176105990
    - fix: https://github.com/1Panel-dev/1Panel/pull/4131/commits/0edd7a9f6f5100aab98a0ea6e5deedff7700396c

The text was updated successfully, but these errors were encountered:

tatianab · 2024-04-03T16:39:00Z

Duplicate of #2636

tatianab marked this as a duplicate of #2636 Apr 3, 2024

tatianab closed this as completed Apr 3, 2024

tatianab added the duplicate label Apr 3, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

x/vulndb: potential Go vuln in github.com/1Panel-dev/1Panel: CVE-2024-2352 #2674

x/vulndb: potential Go vuln in github.com/1Panel-dev/1Panel: CVE-2024-2352 #2674

GoVulnBot commented Apr 3, 2024

tatianab commented Apr 3, 2024

x/vulndb: potential Go vuln in github.com/1Panel-dev/1Panel: CVE-2024-2352 #2674

x/vulndb: potential Go vuln in github.com/1Panel-dev/1Panel: CVE-2024-2352 #2674

Comments

GoVulnBot commented Apr 3, 2024

tatianab commented Apr 3, 2024