1panel
Corrigé dans
1.10.10
CVE-2024-39907 describes a critical SQL injection vulnerability discovered in 1Panel, a web-based Linux server management control panel. This vulnerability allows attackers to perform arbitrary file writes, ultimately leading to remote code execution (RCE) on affected systems. The vulnerability impacts versions 1.10.9-tls through 1.10.11, and a fix is available in version 1.10.12-tls.
The impact of CVE-2024-39907 is severe. Successful exploitation allows an attacker to inject malicious SQL code into 1Panel's database queries. This injected code can then be leveraged to write arbitrary files to the server's file system. The ability to write files grants an attacker the potential to overwrite critical system files, install malware, or gain persistent access to the server. The ultimate consequence is remote code execution, giving the attacker complete control over the compromised server. Given 1Panel's role as a server management tool, a successful attack could lead to widespread compromise of the managed services and data.
As of the public disclosure date (2024-07-18), there is no indication of active exploitation of CVE-2024-39907. However, the vulnerability's CRITICAL severity and the potential for RCE suggest a high likelihood of exploitation if left unpatched. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not yet widely available, but the nature of SQL injection vulnerabilities makes it likely that such exploits will emerge.
Organizations and individuals using 1Panel to manage their Linux servers are at risk. This includes those relying on 1Panel for hosting websites, applications, or other services. Shared hosting environments utilizing 1Panel are particularly vulnerable, as a compromise of one user's account could potentially lead to the compromise of the entire server.
• linux / server:
journalctl -u 1panel | grep -i "sql error"• linux / server:
ps aux | grep -i "1panel"• generic web:
curl -I http://<1panel_ip>/api/ # Check for exposed API endpointsdisclosure
Statut de l'Exploit
EPSS
84.70% (percentile 99%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2024-39907 is to immediately upgrade 1Panel to version 1.10.12-tls or later. Due to the nature of the vulnerability (SQL injection leading to arbitrary file writes), there are no known workarounds beyond patching. Consider implementing stricter database access controls and input validation as a preventative measure against future SQL injection vulnerabilities. Regularly audit 1Panel configurations and user permissions to minimize the attack surface. After upgrading, verify the integrity of critical system files and review 1Panel logs for any signs of suspicious activity.
Actualice 1Panel a la versión 1.10.12-tls o superior. Esta versión corrige las vulnerabilidades de inyección SQL que permiten la escritura arbitraria de archivos y la ejecución remota de código. No existen soluciones alternativas conocidas.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2024-39907 is a critical SQL injection vulnerability in 1Panel versions 1.10.9-tls–1.10.11 that allows attackers to execute arbitrary code on the server.
You are affected if you are running 1Panel versions 1.10.9-tls through 1.10.11. Upgrade to 1.10.12-tls or later to resolve the issue.
Upgrade 1Panel to version 1.10.12-tls or later. There are no known workarounds.
There is currently no confirmed active exploitation, but the vulnerability's severity suggests a high likelihood of exploitation if unpatched.
Refer to the 1Panel official website and security advisories for the latest information and updates regarding CVE-2024-39907.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.