CVE-2024-24765

Published: Mar 6, 2024Modified: Feb 26, 2025

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

CasaOS-UserService provides user management functionalities to CasaOS. Prior to version 0.4.7, path filtering of the URL for user avatar image files was not strict, making it possible to get any file on the system. This could allow an unauthorized actor to access, for example, the CasaOS user database, and possibly obtain system root privileges. Version 0.4.7 fixes this issue.

Affected (1)

Products: Icewhale: Casaos

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Icewhale Casaos	Before 0.4.7

Related CWEs

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References (6)

https://github.com/IceWhaleTech/CasaOS-UserService/commit/3f4558e23c0a9958f9a0e20aabc64aa8fd51840e

Source: security-advisories@github.com

Patch

https://github.com/IceWhaleTech/CasaOS-UserService/releases/tag/v0.4.7

Source: security-advisories@github.com

Release Notes

https://github.com/IceWhaleTech/CasaOS-UserService/security/advisories/GHSA-h5gf-cmm8-cg7c

Source: security-advisories@github.com

ExploitVendor Advisory

https://github.com/IceWhaleTech/CasaOS-UserService/commit/3f4558e23c0a9958f9a0e20aabc64aa8fd51840e

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

https://github.com/IceWhaleTech/CasaOS-UserService/releases/tag/v0.4.7

Source: af854a3a-2127-422b-91ae-364da2661108

Release Notes

https://github.com/IceWhaleTech/CasaOS-UserService/security/advisories/GHSA-h5gf-cmm8-cg7c

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitVendor Advisory

Timeline

No history available yet.