CVE-2023-25168

Wings is Pterodactyl's server control plane. This vulnerability can be used to delete files and directories recursively on the host system. This vulnerability can be combined with `GHSA-p8r3-83r8-jwj5` to overwrite files on the host system. In order to use this exploit, an attacker must have an existing "server" allocated and controlled by Wings. This vulnerability has been resolved in version `v1.11.4` of Wings, and has been back-ported to the 1.7 release series in `v1.7.4`. Anyone running `v1.11.x` should upgrade to `v1.11.4` and anyone running `v1.7.x` should upgrade to `v1.7.4`. There are no known workarounds for this issue.

CVSS v3.0 8.2 HIGH

8.2^/10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 5.8

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://github.com/pterodactyl/wings/commit/429ac62dba22997a278bc709df5ac00a5a25d83d	Patch Vendor Advisory
https://github.com/pterodactyl/wings/security/advisories/GHSA-p8r3-83r8-jwj5	Vendor Advisory
https://github.com/pterodactyl/wings/security/advisories/GHSA-66p8-j459-rq63	Vendor Advisory

Configurations

Configuration 1

cpe:2.3:a:pterodactyl:wings:1.11.1:*:*:*:*:*:*:*

cpe:2.3:a:pterodactyl:wings:1.11.2:*:*:*:*:*:*:*

cpe:2.3:a:pterodactyl:wings:1.11.0:-:*:*:*:*:*:*

cpe:2.3:a:pterodactyl:wings:1.11.3:*:*:*:*:*:*:*

cpe:2.3:a:pterodactyl:wings:*:*:*:*:*:*:*:*

History

24 Jan 2023, 16:19

Type	Values Removed	Values Added
CPE		cpe:2.3:a:predictapp_project:predictapp::::::::
References	~~(MISC) https://github.com/abhilash1985/PredictApp/commit/b067372f3ee26fe1b657121f0f41883ff4461a06 -~~	(MISC) https://github.com/abhilash1985/PredictApp/commit/b067372f3ee26fe1b657121f0f41883ff4461a06 - Patch, Third Party Advisory
References	~~(MISC) https://github.com/abhilash1985/PredictApp/pull/73 -~~	(MISC) https://github.com/abhilash1985/PredictApp/pull/73 - Patch, Third Party Advisory
References	~~(MISC) https://vuldb.com/?id.218387 -~~	(MISC) https://vuldb.com/?id.218387 - Third Party Advisory
References	~~(MISC) https://vuldb.com/?ctiid.218387 -~~	(MISC) https://vuldb.com/?ctiid.218387 - Third Party Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8
First Time		Predictapp Project predictapp Predictapp Project

16 Jan 2023, 13:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-02-09 12:16

Updated : 2023-02-16 02:51

NVD link : CVE-2023-25168

Mitre link : CVE-2023-25168

Products Affected

No products.

CWE

CWE-59