Miggo Logo

CVE-2022-24193: Command Injection in CasaOS

9.8

CVSS Score
3.1

Basic Information

EPSS Score
0.95543%
Published
3/11/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/IceWhaleTech/CasaOSgo< 0.2.70.2.8

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability manifests in ZeroTier network management endpoints where:

  1. Pre-patch code accepted arbitrary network IDs without length/character validation
  2. The patch added critical validation checks (16-character length, alphanumeric filter via NetworkIdFilter)
  3. Command injection typically occurs when untrusted input flows into system command execution
  4. Service layer methods in zerotier.go likely construct OS commands using networkId parameter
  5. The CWE-78 classification confirms improper neutralization of OS command special elements

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**s*OS ***or* v*.*.* w*s *is*ov*r** to *ont*in * *omm*n* inj**tion vuln*r**ility vi* t** *ompon*nt l**v* or join z*roti*r *pi.

Reasoning

T** vuln*r**ility m*ni**sts in Z*roTi*r n*twork m*n***m*nt *n*points w**r*: *. Pr*-p*t** *o** ****pt** *r*itr*ry n*twork I*s wit*out l*n*t*/***r**t*r v*li**tion *. T** p*t** ***** *riti**l v*li**tion ****ks (**-***r**t*r l*n*t*, *lp**num*ri* *ilt*r v