CVE-2023-37477

Name of the Vulnerable Software and Affected Versions 1Panel versions prior to 1.4.3

Description An OS command injection vulnerability exists in 1Panel firewall functionality. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability. The /hosts/firewall/ip endpoint reads user input without validation, allowing an attacker to extend the default functionality of the application and execute system commands. This can lead to a complete compromise of the system.

Recommendations For versions prior to 1.4.3, upgrade to version 1.4.3 to address the vulnerability. As a temporary workaround, consider restricting access to the /hosts/firewall/ip endpoint until the issue is resolved. Avoid using unvalidated user input in the firewall functionality to minimize the risk of exploitation.