Miggo Logo

CVE-2024-34066: Pterodactyl Wings vulnerable to Arbitrary File Write/Read

8.5

CVSS Score
3.1

Basic Information

EPSS Score
0.48117%
Published
5/3/2024
Updated
5/3/2024
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/pterodactyl/wingsgo< 1.11.121.11.12

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from exposed configuration fields in struct definitions (not specific functions) that allowed programmatic updates via API when deserializing JSON input. The commit adds json:"-" tags to sensitive fields in configuration structs (ApiConfiguration.DisableRemoteDownload, SystemConfiguration fields, Configuration.PanelLocation) to prevent serialization/deserialization. While these structs are used by configuration handling logic, the vulnerability manifests at the data structure/API interaction layer rather than specific function implementations. No concrete functions handling the deserialization or config updates are shown in the provided diff to analyze directly.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t I* t** Win*s tok*n is l**k** *it**r *y vi*win* t** no** *on*i*ur*tion or postin* it ***i**nt*lly som*w**r*, *n *tt**k*r **n us* it to **in *r*itr*ry *il* writ* *n* r*** ****ss on t** no** t** tok*n is *sso*i*t** to. ### Work*roun*s *n**

Reasoning

T** vuln*r**ility st*ms *rom *xpos** *on*i*ur*tion *i*l*s in stru*t ***initions (not sp**i*i* *un*tions) t**t *llow** pro*r*mm*ti* up**t*s vi* *PI w**n **s*ri*lizin* JSON input. T** *ommit ***s `json:"-"` t**s to s*nsitiv* *i*l*s in *on*i*ur*tion str