PT-2022-9948 · Hestiacp · Hestiacp

Published

2022-08-18

Updated

2022-08-19

CVE-2021-30070

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions HestiaCP versions prior to 1.3.5

Description An issue was discovered in HestiaCP where attackers can arbitrarily install packages due to values taken from the pgk parameter in the update request being transmitted to the operating system's package manager.

Recommendations For versions prior to 1.3.5, update to version 1.3.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the package manager or disabling the update request functionality until a patch is applied. Avoid using the pgk parameter in the update request until the issue is resolved.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2021-30070

Affected Products

Hestiacp

PT-2022-9948 · Hestiacp · Hestiacp

CVE-2021-30070

Related Identifiers

Affected Products

References · 8