Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/pterodactyl/wings: CVE-2024-34068 #2815

Open
GoVulnBot opened this issue May 3, 2024 · 1 comment
Open

x/vulndb: potential Go vuln in github.com/pterodactyl/wings: CVE-2024-34068 #2815

GoVulnBot opened this issue May 3, 2024 · 1 comment
Assignees
@tatianab
Labels
triaged

Comments

@GoVulnBot
Copy link

CVE-2024-34068 references github.com/pterodactyl/wings, which may be a Go module.

Description:
Pterodactyl wings is the server control plane for Pterodactyl Panel. An authenticated user who has access to a game server is able to bypass the previously implemented access control (GHSA-6rg3-8h8x-5xfv) that prevents accessing internal endpoints of the node hosting Wings in the pull endpoint. This would allow malicious users to potentially access resources on local networks that would otherwise be inaccessible. This issue has been addressed in version 1.11.2 and users are advised to upgrade. Users unable to upgrade may enable the api.disable_remote_download option as a workaround.

References:

Cross references:

See doc/triage.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/pterodactyl/wings
      vulnerable_at: 1.11.12
      packages:
        - package: wings
summary: CVE-2024-34068 in github.com/pterodactyl/wings
cves:
    - CVE-2024-34068
references:
    - advisory: https://github.com/pterodactyl/wings/security/advisories/GHSA-qq22-jj8x-4wwv
    - advisory: https://github.com/pterodactyl/wings/security/advisories/GHSA-6rg3-8h8x-5xfv
    - fix: https://github.com/pterodactyl/wings/commit/c152e36101aba45d8868a9a0eeb890995e8934b8
source:
    id: CVE-2024-34068
@tatianab tatianab self-assigned this May 6, 2024
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/586484 mentions this issue: data/reports: add 73 unreviewed reports

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tatianab tatianab

Labels
triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tatianab @gopherbot @GoVulnBot