CVE-2023-38198

Name of the Vulnerable Software and Affected Versions acme.sh versions prior to 3.0.6

Description The issue arises from insufficient input validation in the Eval function of the ACME protocol client Acme.sh, allowing a remote attacker to execute arbitrary code. This has been exploited in the wild in June 2023.

Recommendations For versions prior to 3.0.6, update to version 3.0.6 or later to resolve the issue. As a temporary workaround, consider disabling the use of the eval function in Acme.sh until a patch is applied. Restrict access to the Acme.sh client to minimize the risk of exploitation. Avoid using the Acme.sh client with untrusted input until the issue is resolved.