8.8

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2023-37477

GHSA ID

GHSA-p9xf-74xh-mhw5

EPSS Score

0.67826%

CWE

CWE-78

Published

7/18/2023

Updated

11/7/2023

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-37477

CVE-2023-37477: 1Panel command injection vulnerability in Firewall ip functionality

Summary

An OS command injection vulnerability exists in 1Panel firewall functionality. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.

Details

1Panel firewall functionality /hosts/firewall/ip endpoint read user input without validation, the attacker extends the default functionality of the application, which execute system commands.

PoC

the payload ; sleep 3 # will lead server response in 3 seconds

the payload ; sleep 6 # will lead server response in 6 seconds

Impact

An attacker can execute arbitrary code on the target system, which can lead to a complete compromise of the system.

Patches

The vulnerability has been fixed in v1.4.3.

Workarounds

It is recommended to upgrade the version to v1.4.3.

References

If you have any questions or comments about this advisory:

Open an issue in https://github.com/1Panel-dev/1Panel Email us at wanghe@fit2cloud.com

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2023-37477

CVE-2023-37477:

8.8

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2023-37477

GHSA ID

GHSA-p9xf-74xh-mhw5

EPSS Score

0.67826%

CWE

CWE-78

Published

7/18/2023

Updated

11/7/2023

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/1Panel-dev/1Panel	go	<= 1.4.2	1.4.3

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from firewall rule handlers that constructed OS commands using unsanitized user inputs. The patch added cmd.CheckIllegal validations to these exact functions, confirming they were injection points. The PoC demonstrates command injection through firewall parameters, and the CWE-78 classification matches the command injection pattern. The functions directly handle the /hosts/firewall/ip endpoint's parameters as evidenced by the security advisory and commit changes.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

8.8

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2023-37477: 1Panel command injection vulnerability in Firewall ip functionality

Summary

Details

PoC

Impact

Patches

Workarounds

References

CVE-2023-37477:

8.8

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2023-37477: 1Panel command injection vulnerability in Firewall ip functionality

Summary

Details

PoC

Impact

Patches

Workarounds

References

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

Technical Details

8.8

8.8

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI