Headline

GHSA-gqmf-jqgv-v8fw: Pterodactyl Wings vulnerable to Arbitrary File Write/Read

Impact

If the Wings token is leaked either by viewing the node configuration or posting it accidentally somewhere, an attacker can use it to gain arbitrary file write and read access on the node the token is associated to.

Workarounds

Enabling the ignore_panel_config_updates option or updating to the latest version of Wings are the only known workarounds.

Patches

https://github.com/pterodactyl/wings/commit/5415f8ae07f533623bd8169836dd7e0b933964de

8 months ago

ghsa

Open in Source

#vulnerability #git

Package

gomod github.com/pterodactyl/wings (Go)

Affected versions

< 1.11.12

Patched versions

1.11.12

Description

Impact

Workarounds

Enabling the ignore_panel_config_updates option or updating to the latest version of Wings are the only known workarounds.

Patches

pterodactyl/wings@5415f8a

References

GHSA-gqmf-jqgv-v8fw
https://nvd.nist.gov/vuln/detail/CVE-2024-34066
pterodactyl/wings@5415f8a

matthewpi published to pterodactyl/wings

May 3, 2024

Published by the National Vulnerability Database

May 3, 2024

Published to the GitHub Advisory Database

May 3, 2024

Reviewed

May 3, 2024

Last updated

May 3, 2024

ghsa: Latest News

GHSA-x7m9-mv49-fv73: Vaultwarden vulnerable to user impersonation

1 day ago

ghsa

GHSA-vprm-27pv-jp3w: Vaultwarden authenticated reflected cross-site scripting (XSS) vulnerability

1 day ago

ghsa

GHSA-g5x8-v2ch-gj2g: Vaultwarden HTML injection vulnerability

1 day ago

ghsa

GHSA-5xh2-23cc-5jc6: Strawberry GraphQL has type resolution vulnerability in node interface that allows potential data leakage through incorrect type resolution

1 day ago

ghsa

GHSA-675f-rq2r-jw82: JWK Set's HTTP client only overwrites and appends JWK to local cache during refresh

1 day ago

ghsa