CVE-2023-37266

Name of the Vulnerable Software and Affected Versions CasaOS versions prior to 0.4.4

Description Unauthenticated attackers can craft arbitrary JWTs and access features that usually require authentication, allowing them to execute arbitrary commands as root on CasaOS instances. This issue is related to weaknesses in the authentication procedure, specifically in the validation of JWTs.

Recommendations For versions prior to 0.4.4, upgrade to CasaOS 0.4.4 to resolve the issue. If upgrading to 0.4.4 is not possible, temporarily restrict access to CasaOS to untrusted users, for instance by not exposing it publicly, to minimize the risk of exploitation.