Vulnerability Description
Wings is Pterodactyl's server control plane. This vulnerability can be used to delete files and directories recursively on the host system. This vulnerability can be combined with `GHSA-p8r3-83r8-jwj5` to overwrite files on the host system. In order to use this exploit, an attacker must have an existing "server" allocated and controlled by Wings. This vulnerability has been resolved in version `v1.11.4` of Wings, and has been back-ported to the 1.7 release series in `v1.7.4`. Anyone running `v1.11.x` should upgrade to `v1.11.4` and anyone running `v1.7.x` should upgrade to `v1.7.4`. There are no known workarounds for this issue.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Pterodactyl | Wings | >= 1.7.0, < 1.7.4 |
Related Weaknesses (CWE)
References
- https://github.com/pterodactyl/wings/commit/429ac62dba22997a278bc709df5ac00a5a25PatchVendor Advisory
- https://github.com/pterodactyl/wings/security/advisories/GHSA-66p8-j459-rq63Vendor Advisory
- https://github.com/pterodactyl/wings/security/advisories/GHSA-p8r3-83r8-jwj5Vendor Advisory
- https://github.com/pterodactyl/wings/commit/429ac62dba22997a278bc709df5ac00a5a25PatchVendor Advisory
- https://github.com/pterodactyl/wings/security/advisories/GHSA-66p8-j459-rq63Vendor Advisory
- https://github.com/pterodactyl/wings/security/advisories/GHSA-p8r3-83r8-jwj5Vendor Advisory
FAQ
What is CVE-2023-25168?
CVE-2023-25168 is a vulnerability with a CVSS score of 9.6 (CRITICAL). Wings is Pterodactyl's server control plane. This vulnerability can be used to delete files and directories recursively on the host system. This vulnerability can be combined with `GHSA-p8r3-83r8-jwj...
How severe is CVE-2023-25168?
CVE-2023-25168 has been rated CRITICAL with a CVSS base score of 9.6/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2023-25168?
Check the references section above for vendor advisories and patch information. Affected products include: Pterodactyl Wings.