Platform
go
Component
github.com/1panel-dev/1panel
Opgelost in
1.10.13
1.10.12-lts
CVE-2024-39911 represents a critical SQL injection vulnerability discovered in 1Panel, a Go-based web hosting control panel. This flaw allows attackers to inject malicious SQL code into database queries, potentially leading to unauthorized data access and system compromise. The vulnerability impacts versions of 1Panel prior to 1.10.12-lts, and a patch has been released to address the issue.
The impact of CVE-2024-39911 is severe. Successful exploitation allows an attacker to bypass authentication and authorization mechanisms, directly manipulating the underlying database. This could result in the theft of sensitive user data, including credentials, personal information, and financial details. Furthermore, an attacker could modify database records, leading to data corruption or denial of service. The ability to execute arbitrary SQL commands grants a high degree of control over the affected system, potentially enabling lateral movement to other connected resources.
CVE-2024-39911 was publicly disclosed on July 22, 2024. As of this writing, there are no publicly available proof-of-concept exploits. The vulnerability's severity (CVSS 10.0) and ease of exploitation suggest a medium probability of exploitation, particularly given the popularity of 1Panel. It is advisable to prioritize patching to prevent potential compromise.
Organizations and individuals using 1Panel for web hosting, particularly those with sensitive data stored in the database, are at significant risk. Shared hosting environments utilizing 1Panel are especially vulnerable, as a compromise of one user's account could potentially impact other users on the same server.
• linux / server:
journalctl -u 1Panel -g 'SQL injection' --since "1 day ago"• generic web:
curl -I <1Panel_URL>/admin/login.php?username='; DROP TABLE users;--• database (mysql):
SELECT * FROM users WHERE username LIKE '%'; DROP TABLE users;%'disclosure
Exploit Status
EPSS
68.29% (99% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2024-39911 is to immediately upgrade to version 1.10.12-lts or later. If upgrading is not immediately feasible, consider implementing temporary workarounds such as input validation and parameterized queries within the application code. While these are not a complete solution, they can reduce the attack surface. Web application firewalls (WAFs) configured with rules to detect and block SQL injection attempts can also provide an additional layer of defense. Monitor database logs for suspicious SQL queries that may indicate an ongoing attack.
Actualice 1Panel a la versión 1.10.12-lts o superior. Esta versión contiene la corrección para la vulnerabilidad de inyección SQL. No existen workarounds conocidos, por lo que la actualización es la única solución.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2024-39911 is a critical SQL injection vulnerability in 1Panel, allowing attackers to inject malicious SQL code and potentially gain unauthorized access to the database.
You are affected if you are running 1Panel versions prior to 1.10.12-lts. Check your version and upgrade immediately.
Upgrade to version 1.10.12-lts or later. If immediate upgrade is not possible, implement input validation and WAF rules as temporary mitigations.
While no public exploits are currently available, the vulnerability's severity suggests a medium probability of exploitation. Proactive patching is highly recommended.
Refer to the 1Panel official website and GitHub repository for the latest security advisories and updates related to CVE-2024-39911.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je go.mod-bestand en we vertellen je direct of je getroffen bent.