CVE-2023-37266

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-37266

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-37266.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2023-37266

Aliases

Published

2023-07-17T20:57:43Z

Modified

2025-10-30T19:32:08Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Weak json web token (JWT) secrets in CasaOS

Details

CasaOS is an open-source Personal Cloud system. Unauthenticated attackers can craft arbitrary JWTs and access features that usually require authentication and execute arbitrary commands as root on CasaOS instances. This problem was addressed by improving the validation of JWTs in commit 705bf1f. This patch is part of CasaOS 0.4.4. Users should upgrade to CasaOS 0.4.4. If they can't, they should temporarily restrict access to CasaOS to untrusted users, for instance by not exposing it publicly.

Database specific

{
    "cwe_ids": [
        "CWE-287"
    ]
}

References

Affected packages

Git / github.com/icewhaletech/casaos

Affected ranges

Type

GIT

Repo

https://github.com/icewhaletech/casaos

Events

Introduced

Fixed

9d6381d7ac91d51839814a9b350f8782c3042bc3

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.4.4"
        }
    ]
}