CVE-2023-37266

nvd nist nuclei

Published: Jul 17, 2023Modified: Apr 10, 2025

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

CasaOS is an open-source Personal Cloud system. Unauthenticated attackers can craft arbitrary JWTs and access features that usually require authentication and execute arbitrary commands as `root` on CasaOS instances. This problem was addressed by improving the validation of JWTs in commit `705bf1f`. This patch is part of CasaOS 0.4.4. Users should upgrade to CasaOS 0.4.4. If they can't, they should temporarily restrict access to CasaOS to untrusted users, for instance by not exposing it publicly.

Affected (1)

Products: Icewhale: Casaos

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Icewhale Casaos	Before 0.4.4

Related CWEs

Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

References (5)

https://github.com/IceWhaleTech/CasaOS/commit/705bf1facbffd2ca40b159b0303132b6fdf657ad

Source: security-advisories@github.com

Patch

https://github.com/IceWhaleTech/CasaOS/security/advisories/GHSA-m5q5-8mfw-p2hr

Source: security-advisories@github.com

PatchThird Party Advisory

https://www.sonarsource.com/blog/security-vulnerabilities-in-casaos

Source: security-advisories@github.com

ExploitThird Party Advisory

https://github.com/IceWhaleTech/CasaOS/commit/705bf1facbffd2ca40b159b0303132b6fdf657ad

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

https://github.com/IceWhaleTech/CasaOS/security/advisories/GHSA-m5q5-8mfw-p2hr

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

Timeline

No history available yet.