9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-37266

GHSA ID

GHSA-m5q5-8mfw-p2hr

EPSS Score

0.99505%

CWE

CWE-287

Published

7/17/2023

Updated

12/12/2024

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-37266

CVE-2023-37266: CasaOS contains weak JWT secrets

Impact

Unauthenticated attackers can craft arbitrary JWTs and access features that usually require authentication and execute arbitrary commands as root on CasaOS instances.

Patches

The problem was addressed by improving the validation of JWTs in 705bf1f. This patch is part of CasaOS 0.4.4.

Workarounds

Users should upgrade to CasaOS 0.4.4. If they can't, they should temporarily restrict access to CasaOS to untrusted users, for instance by not exposing it publicly.

References

705bf1f
https://www.sonarsource.com/blog/security-vulnerabilities-in-casaos/

(GitHub Advisory)

9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-37266

GHSA ID

GHSA-m5q5-8mfw-p2hr

EPSS Score

0.99505%

CWE

CWE-287

Published

7/17/2023

Updated

12/12/2024

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/IceWhaleTech/CasaOS	go	< 0.4.4	0.4.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from two key issues: 1) The JWT validation used weak credentials (CWE-1391) as shown by the commit switching to ECDSA public key validation and external key storage. 2) The ExceptLocalhost middleware created an authentication bypass condition (CWE-287). The commit diff shows these functions were modified to use proper public key validation and remove IP-based authentication bypass. The original JWT.Validate implementation likely used HMAC with a weak/static secret, while ExceptLocalhost's IP-based trust enabled exploitation when combined with header injection.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t Un*ut**nti**t** *tt**k*rs **n *r**t *r*itr*ry JWTs *n* ****ss ***tur*s t**t usu*lly r*quir* *ut**nti**tion *n* *x**ut* *r*itr*ry *omm*n*s *s `root` on **s*OS inst*n**s. ### P*t***s T** pro*l*m w*s ***r*ss** *y improvin* t** v*li**tion o

Reasoning

T** vuln*r**ility st*mm** *rom two k*y issu*s: *) T** JWT `v*li**tion` us** w**k *r***nti*ls (*W*-****) *s s*own *y t** *ommit swit**in* to ***S* pu*li* k*y `v*li**tion` *n* *xt*rn*l k*y stor***. *) T** `*x**ptLo**l*ost` mi**l*w*r* *r**t** *n *ut**nt

9.8

Basic Information

Concerned about an active attack path?

CVE-2023-37266: CasaOS contains weak JWT secrets

Impact

Patches

Workarounds

References

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI