x/vulndb: potential Go vuln in github.com/1Panel-dev/1Panel: CVE-2024-34352

[GoVulnBot]

CVE-2024-34352 references github.com/1Panel-dev/1Panel, which may be a Go module.

Description:
1Panel is an open source Linux server operation and maintenance management panel. Prior to v1.10.3-lts, there are many command injections in the project, and some of them are not well filtered, leading to arbitrary file writes, and ultimately leading to RCEs. The mirror configuration write symbol > can be used to achieve arbitrary file writing. This vulnerability is fixed in v1.10.3-lts.

References:

• NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-34352
• JSON: https://github.com/CVEProject/cvelist/tree/82f35c8b77f63adb3d78a07967f8701c9fd44151/2024/34xxx/CVE-2024-34352.json
• advisory: GHSA-f8ch-w75v-c847
• Imported by: https://pkg.go.dev/github.com/1Panel-dev/1Panel?tab=importedby

Cross references:

• Module github.com/1Panel-dev/1Panel appears in issue x/vulndb: potential Go vuln in github.com/1Panel-dev/1Panel: CVE-2023-36457 #1887 NOT_IMPORTABLE
• Module github.com/1Panel-dev/1Panel appears in issue x/vulndb: potential Go vuln in github.com/1Panel-dev/1Panel: CVE-2023-36458 #1888 EFFECTIVELY_PRIVATE
• Module github.com/1Panel-dev/1Panel appears in issue x/vulndb: potential Go vuln in github.com/1Panel-dev/1Panel: CVE-2023-37477 #1940 EFFECTIVELY_PRIVATE
• Module github.com/1Panel-dev/1Panel appears in issue x/vulndb: potential Go vuln in github.com/1Panel-dev/1Panel: CVE-2023-39964 #2004 EFFECTIVELY_PRIVATE
• Module github.com/1Panel-dev/1Panel appears in issue x/vulndb: potential Go vuln in github.com/1Panel-dev/1Panel: CVE-2023-39965 #2005 EFFECTIVELY_PRIVATE
• Module github.com/1Panel-dev/1Panel appears in issue x/vulndb: potential Go vuln in github.com/1Panel-dev/1Panel: CVE-2023-39966 #2006 EFFECTIVELY_PRIVATE
• Module github.com/1Panel-dev/1Panel appears in issue x/vulndb: potential Go vuln in github.com/1Panel-dev/1Panel: CVE-2024-24768 #2531 EFFECTIVELY_PRIVATE
• Module github.com/1Panel-dev/1Panel appears in issue x/vulndb: potential Go vuln in github.com/1Panel-dev/1Panel: GHSA-26w3-q4j8-4xjp #2613

See doc/triage.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/1Panel-dev/1Panel
      vulnerable_at: 1.9.6
      packages:
        - package: 1Panel
summary: CVE-2024-34352 in github.com/1Panel-dev/1Panel
cves:
    - CVE-2024-34352
references:
    - advisory: https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-f8ch-w75v-c847
source:
    id: CVE-2024-34352

[gopherbot]

Change https://go.dev/cl/584657 mentions this issue: data/reports: add GO-2024-2830.yaml