CVE-2023-37265

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions CasaOS versions prior to 0.4.4

Description CasaOS is an open-source Personal Cloud system. Due to a lack of IP address verification, an unauthenticated attacker can execute arbitrary commands as root on CasaOS instances. The problem was addressed by improving the detection of client IP addresses.

Recommendations For versions prior to 0.4.4, upgrade to CasaOS 0.4.4. If upgrading to 0.4.4 is not possible, temporarily restrict access to CasaOS to untrusted users, for instance by not exposing it publicly.

Exploit

Fix

Missing Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-306CWE-348

Related Identifiers

CVE-2023-37265

GHSA-VJH7-5R6X-XH6G

GO-2023-1932

Affected Products

Casaos

CVE-2023-37265

Weakness Enumeration

Related Identifiers

Affected Products

References · 19