GHSA-gqmf-jqgv-v8fw

Source

https://github.com/advisories/GHSA-gqmf-jqgv-v8fw

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-gqmf-jqgv-v8fw/GHSA-gqmf-jqgv-v8fw.json

Aliases

• CVE-2024-34066

Published

2024-05-03T20:28:10Z

Modified

2024-05-03T20:43:32.757245Z

Summary

Pterodactyl Wings vulnerable to Arbitrary File Write/Read

Details

Impact

If the Wings token is leaked either by viewing the node configuration or posting it accidentally somewhere, an attacker can use it to gain arbitrary file write and read access on the node the token is associated to.

Workarounds

Enabling the ignore_panel_config_updates option or updating to the latest version of Wings are the only known workarounds.

Patches

https://github.com/pterodactyl/wings/commit/5415f8ae07f533623bd8169836dd7e0b933964de

References

• https://github.com/pterodactyl/wings/security/advisories/GHSA-gqmf-jqgv-v8fw
• https://nvd.nist.gov/vuln/detail/CVE-2024-34066
• https://github.com/pterodactyl/wings/commit/5415f8ae07f533623bd8169836dd7e0b933964de
• https://github.com/pterodactyl/wings