GHSA-5grx-v727-qmq6

Source

https://github.com/advisories/GHSA-5grx-v727-qmq6

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-5grx-v727-qmq6/GHSA-5grx-v727-qmq6.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-5grx-v727-qmq6

Aliases

CVE-2024-39907
GO-2024-2990

Published

2024-07-18T14:25:00Z

Modified

2024-07-24T13:49:36Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

1Panel has an SQL injection issue related to the orderBy clause

Details

Summary

There are many sql injections in the project, and some of them are not well filtered, leading to arbitrary file writes, and ultimately leading to RCEs. The proof is as follows

Details （one of them ）

PoC

curl 'http://api:30455/api/v1/hosts/command/search' {"page":1,"pageSize":10,"groupID":0,"orderBy":"3","order":"ascending","name":"a"} <img width="664" alt="image" src="https://github.com/1Panel-dev/1Panel/assets/129351704/250d5a2a-cb32-44dc-9831-86dbc2f2b43f"> for example as picture . just change orderby‘s num we can know How many columns does the data table have.Parameters require strict whitelist filtering

Impact

RCE、data leak.

Database specific

{
    "nvd_published_at": "2024-07-18T16:15:07Z",
    "cwe_ids": [
        "CWE-89"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2024-07-18T14:25:00Z"
}

References

Affected packages

Go / github.com/1Panel-dev/1Panel

Package

Name: github.com/1Panel-dev/1Panel; View open source insights on deps.dev
Purl: pkg:golang/github.com/1Panel-dev/1Panel

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.10.12-tls