Vulnerabilites related to pterodactyl - panel
CVE-2021-41129 (GCVE-0-2021-41129)
Vulnerability from cvelistv5
Published
2021-10-06 20:05
Modified
2024-08-04 02:59
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Pterodactyl is an open-source game server management panel built with PHP 7, React, and Go. A malicious user can modify the contents of a `confirmation_token` input during the two-factor authentication process to reference a cache value not associated with the login attempt. In rare cases this can allow a malicious actor to authenticate as a random user in the Panel. The malicious user must target an account with two-factor authentication enabled, and then must provide a correct two-factor authentication token before being authenticated as that user. Due to a validation flaw in the logic handling user authentication during the two-factor authentication process a malicious user can trick the system into loading credentials for an arbitrary user by modifying the token sent to the server. This authentication flaw is present in the `LoginCheckpointController@__invoke` method which handles two-factor authentication for a user. This controller looks for a request input parameter called `confirmation_token` which is expected to be a 64 character random alpha-numeric string that references a value within the Panel's cache containing a `user_id` value. This value is then used to fetch the user that attempted to login, and lookup their two-factor authentication token. Due to the design of this system, any element in the cache that contains only digits could be referenced by a malicious user, and whatever value is stored at that position would be used as the `user_id`. There are a few different areas of the Panel that store values into the cache that are integers, and a user who determines what those cache keys are could pass one of those keys which would cause this code pathway to reference an arbitrary user. At its heart this is a high-risk login bypass vulnerability. However, there are a few additional conditions that must be met in order for this to be successfully executed, notably: 1.) The account referenced by the malicious cache key must have two-factor authentication enabled. An account without two-factor authentication would cause an exception to be triggered by the authentication logic, thusly exiting this authentication flow. 2.) Even if the malicious user is able to reference a valid cache key that references a valid user account with two-factor authentication, they must provide a valid two-factor authentication token. However, due to the design of this endpoint once a valid user account is found with two-factor authentication enabled there is no rate-limiting present, thusly allowing an attacker to brute force combinations until successful. This leads to a third condition that must be met: 3.) For the duration of this attack sequence the cache key being referenced must continue to exist with a valid `user_id` value. Depending on the specific key being used for this attack, this value may disappear quickly, or be changed by other random user interactions on the Panel, outside the control of the attacker. In order to mitigate this vulnerability the underlying authentication logic was changed to use an encrypted session store that the user is therefore unable to control the value of. This completely removed the use of a user-controlled value being used. In addition, the code was audited to ensure this type of vulnerability is not present elsewhere.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| pterodactyl | panel |
Version: >= 1.0.0, < 1.6.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T02:59:31.602Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/pterodactyl/panel/security/advisories/GHSA-5vfx-8w6m-h3v4"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/pterodactyl/panel/commit/4a84c36009be10dbd83051ac1771662c056e4977"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/pterodactyl/panel/blob/v1.6.2/CHANGELOG.md#v162"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/pterodactyl/panel/releases/tag/v1.6.2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "panel",
"vendor": "pterodactyl",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.0.0, \u003c 1.6.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Pterodactyl is an open-source game server management panel built with PHP 7, React, and Go. A malicious user can modify the contents of a `confirmation_token` input during the two-factor authentication process to reference a cache value not associated with the login attempt. In rare cases this can allow a malicious actor to authenticate as a random user in the Panel. The malicious user must target an account with two-factor authentication enabled, and then must provide a correct two-factor authentication token before being authenticated as that user. Due to a validation flaw in the logic handling user authentication during the two-factor authentication process a malicious user can trick the system into loading credentials for an arbitrary user by modifying the token sent to the server. This authentication flaw is present in the `LoginCheckpointController@__invoke` method which handles two-factor authentication for a user. This controller looks for a request input parameter called `confirmation_token` which is expected to be a 64 character random alpha-numeric string that references a value within the Panel\u0027s cache containing a `user_id` value. This value is then used to fetch the user that attempted to login, and lookup their two-factor authentication token. Due to the design of this system, any element in the cache that contains only digits could be referenced by a malicious user, and whatever value is stored at that position would be used as the `user_id`. There are a few different areas of the Panel that store values into the cache that are integers, and a user who determines what those cache keys are could pass one of those keys which would cause this code pathway to reference an arbitrary user. At its heart this is a high-risk login bypass vulnerability. However, there are a few additional conditions that must be met in order for this to be successfully executed, notably: 1.) The account referenced by the malicious cache key must have two-factor authentication enabled. An account without two-factor authentication would cause an exception to be triggered by the authentication logic, thusly exiting this authentication flow. 2.) Even if the malicious user is able to reference a valid cache key that references a valid user account with two-factor authentication, they must provide a valid two-factor authentication token. However, due to the design of this endpoint once a valid user account is found with two-factor authentication enabled there is no rate-limiting present, thusly allowing an attacker to brute force combinations until successful. This leads to a third condition that must be met: 3.) For the duration of this attack sequence the cache key being referenced must continue to exist with a valid `user_id` value. Depending on the specific key being used for this attack, this value may disappear quickly, or be changed by other random user interactions on the Panel, outside the control of the attacker. In order to mitigate this vulnerability the underlying authentication logic was changed to use an encrypted session store that the user is therefore unable to control the value of. This completely removed the use of a user-controlled value being used. In addition, the code was audited to ensure this type of vulnerability is not present elsewhere."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502: Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-807",
"description": "CWE-807: Reliance on Untrusted Inputs in a Security Decision",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-06T20:05:10",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pterodactyl/panel/security/advisories/GHSA-5vfx-8w6m-h3v4"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pterodactyl/panel/commit/4a84c36009be10dbd83051ac1771662c056e4977"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pterodactyl/panel/blob/v1.6.2/CHANGELOG.md#v162"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pterodactyl/panel/releases/tag/v1.6.2"
}
],
"source": {
"advisory": "GHSA-5vfx-8w6m-h3v4",
"discovery": "UNKNOWN"
},
"title": "Authentication bypass in Pterodactyl",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-41129",
"STATE": "PUBLIC",
"TITLE": "Authentication bypass in Pterodactyl"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "panel",
"version": {
"version_data": [
{
"version_value": "\u003e= 1.0.0, \u003c 1.6.2"
}
]
}
}
]
},
"vendor_name": "pterodactyl"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Pterodactyl is an open-source game server management panel built with PHP 7, React, and Go. A malicious user can modify the contents of a `confirmation_token` input during the two-factor authentication process to reference a cache value not associated with the login attempt. In rare cases this can allow a malicious actor to authenticate as a random user in the Panel. The malicious user must target an account with two-factor authentication enabled, and then must provide a correct two-factor authentication token before being authenticated as that user. Due to a validation flaw in the logic handling user authentication during the two-factor authentication process a malicious user can trick the system into loading credentials for an arbitrary user by modifying the token sent to the server. This authentication flaw is present in the `LoginCheckpointController@__invoke` method which handles two-factor authentication for a user. This controller looks for a request input parameter called `confirmation_token` which is expected to be a 64 character random alpha-numeric string that references a value within the Panel\u0027s cache containing a `user_id` value. This value is then used to fetch the user that attempted to login, and lookup their two-factor authentication token. Due to the design of this system, any element in the cache that contains only digits could be referenced by a malicious user, and whatever value is stored at that position would be used as the `user_id`. There are a few different areas of the Panel that store values into the cache that are integers, and a user who determines what those cache keys are could pass one of those keys which would cause this code pathway to reference an arbitrary user. At its heart this is a high-risk login bypass vulnerability. However, there are a few additional conditions that must be met in order for this to be successfully executed, notably: 1.) The account referenced by the malicious cache key must have two-factor authentication enabled. An account without two-factor authentication would cause an exception to be triggered by the authentication logic, thusly exiting this authentication flow. 2.) Even if the malicious user is able to reference a valid cache key that references a valid user account with two-factor authentication, they must provide a valid two-factor authentication token. However, due to the design of this endpoint once a valid user account is found with two-factor authentication enabled there is no rate-limiting present, thusly allowing an attacker to brute force combinations until successful. This leads to a third condition that must be met: 3.) For the duration of this attack sequence the cache key being referenced must continue to exist with a valid `user_id` value. Depending on the specific key being used for this attack, this value may disappear quickly, or be changed by other random user interactions on the Panel, outside the control of the attacker. In order to mitigate this vulnerability the underlying authentication logic was changed to use an encrypted session store that the user is therefore unable to control the value of. This completely removed the use of a user-controlled value being used. In addition, the code was audited to ensure this type of vulnerability is not present elsewhere."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-502: Deserialization of Untrusted Data"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-639: Authorization Bypass Through User-Controlled Key"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-807: Reliance on Untrusted Inputs in a Security Decision"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/pterodactyl/panel/security/advisories/GHSA-5vfx-8w6m-h3v4",
"refsource": "CONFIRM",
"url": "https://github.com/pterodactyl/panel/security/advisories/GHSA-5vfx-8w6m-h3v4"
},
{
"name": "https://github.com/pterodactyl/panel/commit/4a84c36009be10dbd83051ac1771662c056e4977",
"refsource": "MISC",
"url": "https://github.com/pterodactyl/panel/commit/4a84c36009be10dbd83051ac1771662c056e4977"
},
{
"name": "https://github.com/pterodactyl/panel/blob/v1.6.2/CHANGELOG.md#v162",
"refsource": "MISC",
"url": "https://github.com/pterodactyl/panel/blob/v1.6.2/CHANGELOG.md#v162"
},
{
"name": "https://github.com/pterodactyl/panel/releases/tag/v1.6.2",
"refsource": "MISC",
"url": "https://github.com/pterodactyl/panel/releases/tag/v1.6.2"
}
]
},
"source": {
"advisory": "GHSA-5vfx-8w6m-h3v4",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-41129",
"datePublished": "2021-10-06T20:05:11",
"dateReserved": "2021-09-15T00:00:00",
"dateUpdated": "2024-08-04T02:59:31.602Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-41176 (GCVE-0-2021-41176)
Vulnerability from cvelistv5
Published
2021-10-25 16:50
Modified
2024-08-04 02:59
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Summary
Pterodactyl is an open-source game server management panel built with PHP 7, React, and Go. In affected versions of Pterodactyl a malicious user can trigger a user logout if a signed in user visits a malicious website that makes a request to the Panel's sign-out endpoint. This requires a targeted attack against a specific Panel instance, and serves only to sign a user out. **No user details are leaked, nor is any user data affected, this is simply an annoyance at worst.** This is fixed in version 1.6.3.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| pterodactyl | panel |
Version: >= 1.0.0 < 1.6.3 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T02:59:31.636Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/pterodactyl/panel/security/advisories/GHSA-m49f-hcxp-6hm6"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/pterodactyl/panel/commit/45999ba4ee1b2dcb12b4a2fa2cedfb6b5d66fac2"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/pterodactyl/panel/releases/tag/v1.6.3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "panel",
"vendor": "pterodactyl",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.0.0 \u003c 1.6.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Pterodactyl is an open-source game server management panel built with PHP 7, React, and Go. In affected versions of Pterodactyl a malicious user can trigger a user logout if a signed in user visits a malicious website that makes a request to the Panel\u0027s sign-out endpoint. This requires a targeted attack against a specific Panel instance, and serves only to sign a user out. **No user details are leaked, nor is any user data affected, this is simply an annoyance at worst.** This is fixed in version 1.6.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352: Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-25T16:50:10",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pterodactyl/panel/security/advisories/GHSA-m49f-hcxp-6hm6"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pterodactyl/panel/commit/45999ba4ee1b2dcb12b4a2fa2cedfb6b5d66fac2"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pterodactyl/panel/releases/tag/v1.6.3"
}
],
"source": {
"advisory": "GHSA-m49f-hcxp-6hm6",
"discovery": "UNKNOWN"
},
"title": "logout CSRF in Pterodactyl Panel",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-41176",
"STATE": "PUBLIC",
"TITLE": "logout CSRF in Pterodactyl Panel"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "panel",
"version": {
"version_data": [
{
"version_value": "\u003e= 1.0.0 \u003c 1.6.3"
}
]
}
}
]
},
"vendor_name": "pterodactyl"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Pterodactyl is an open-source game server management panel built with PHP 7, React, and Go. In affected versions of Pterodactyl a malicious user can trigger a user logout if a signed in user visits a malicious website that makes a request to the Panel\u0027s sign-out endpoint. This requires a targeted attack against a specific Panel instance, and serves only to sign a user out. **No user details are leaked, nor is any user data affected, this is simply an annoyance at worst.** This is fixed in version 1.6.3."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-352: Cross-Site Request Forgery (CSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/pterodactyl/panel/security/advisories/GHSA-m49f-hcxp-6hm6",
"refsource": "CONFIRM",
"url": "https://github.com/pterodactyl/panel/security/advisories/GHSA-m49f-hcxp-6hm6"
},
{
"name": "https://github.com/pterodactyl/panel/commit/45999ba4ee1b2dcb12b4a2fa2cedfb6b5d66fac2",
"refsource": "MISC",
"url": "https://github.com/pterodactyl/panel/commit/45999ba4ee1b2dcb12b4a2fa2cedfb6b5d66fac2"
},
{
"name": "https://github.com/pterodactyl/panel/releases/tag/v1.6.3",
"refsource": "MISC",
"url": "https://github.com/pterodactyl/panel/releases/tag/v1.6.3"
}
]
},
"source": {
"advisory": "GHSA-m49f-hcxp-6hm6",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-41176",
"datePublished": "2021-10-25T16:50:10",
"dateReserved": "2021-09-15T00:00:00",
"dateUpdated": "2024-08-04T02:59:31.636Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-41273 (GCVE-0-2021-41273)
Vulnerability from cvelistv5
Published
2021-11-17 19:30
Modified
2024-08-04 03:08
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Summary
Pterodactyl is an open-source game server management panel built with PHP 7, React, and Go. Due to improperly configured CSRF protections on two routes, a malicious user could execute a CSRF-based attack against the following endpoints: Sending a test email and Generating a node auto-deployment token. At no point would any data be exposed to the malicious user, this would simply trigger email spam to an administrative user, or generate a single auto-deployment token unexpectedly. This token is not revealed to the malicious user, it is simply created unexpectedly in the system. This has been addressed in release `1.6.6`. Users may optionally manually apply the fixes released in v1.6.6 to patch their own systems.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| pterodactyl | panel |
Version: < 1.6.6 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T03:08:31.614Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/pterodactyl/panel/security/advisories/GHSA-wwgq-9jhf-qgw6"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/pterodactyl/panel/commit/bf9cbe2c6d5266c6914223e067c56175de7fc3a5"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "panel",
"vendor": "pterodactyl",
"versions": [
{
"status": "affected",
"version": "\u003c 1.6.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Pterodactyl is an open-source game server management panel built with PHP 7, React, and Go. Due to improperly configured CSRF protections on two routes, a malicious user could execute a CSRF-based attack against the following endpoints: Sending a test email and Generating a node auto-deployment token. At no point would any data be exposed to the malicious user, this would simply trigger email spam to an administrative user, or generate a single auto-deployment token unexpectedly. This token is not revealed to the malicious user, it is simply created unexpectedly in the system. This has been addressed in release `1.6.6`. Users may optionally manually apply the fixes released in v1.6.6 to patch their own systems."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352: Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-17T19:30:12",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pterodactyl/panel/security/advisories/GHSA-wwgq-9jhf-qgw6"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pterodactyl/panel/commit/bf9cbe2c6d5266c6914223e067c56175de7fc3a5"
}
],
"source": {
"advisory": "GHSA-wwgq-9jhf-qgw6",
"discovery": "UNKNOWN"
},
"title": "Cross-Site Request Forgery allowing sending of test emails and generation of node auto-deployment keys",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-41273",
"STATE": "PUBLIC",
"TITLE": "Cross-Site Request Forgery allowing sending of test emails and generation of node auto-deployment keys"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "panel",
"version": {
"version_data": [
{
"version_value": "\u003c 1.6.6"
}
]
}
}
]
},
"vendor_name": "pterodactyl"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Pterodactyl is an open-source game server management panel built with PHP 7, React, and Go. Due to improperly configured CSRF protections on two routes, a malicious user could execute a CSRF-based attack against the following endpoints: Sending a test email and Generating a node auto-deployment token. At no point would any data be exposed to the malicious user, this would simply trigger email spam to an administrative user, or generate a single auto-deployment token unexpectedly. This token is not revealed to the malicious user, it is simply created unexpectedly in the system. This has been addressed in release `1.6.6`. Users may optionally manually apply the fixes released in v1.6.6 to patch their own systems."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-352: Cross-Site Request Forgery (CSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/pterodactyl/panel/security/advisories/GHSA-wwgq-9jhf-qgw6",
"refsource": "CONFIRM",
"url": "https://github.com/pterodactyl/panel/security/advisories/GHSA-wwgq-9jhf-qgw6"
},
{
"name": "https://github.com/pterodactyl/panel/commit/bf9cbe2c6d5266c6914223e067c56175de7fc3a5",
"refsource": "MISC",
"url": "https://github.com/pterodactyl/panel/commit/bf9cbe2c6d5266c6914223e067c56175de7fc3a5"
}
]
},
"source": {
"advisory": "GHSA-wwgq-9jhf-qgw6",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-41273",
"datePublished": "2021-11-17T19:30:12",
"dateReserved": "2021-09-15T00:00:00",
"dateUpdated": "2024-08-04T03:08:31.614Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-49132 (GCVE-0-2025-49132)
Vulnerability from cvelistv5
Published
2025-06-20 16:56
Modified
2025-06-20 17:34
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Summary
Pterodactyl is a free, open-source game server management panel. Prior to version 1.11.11, using the /locales/locale.json with the locale and namespace query parameters, a malicious actor is able to execute arbitrary code without being authenticated. With the ability to execute arbitrary code it could be used to gain access to the Panel's server, read credentials from the Panel's config, extract sensitive information from the database, access files of servers managed by the panel, etc. This issue has been patched in version 1.11.11. There are no software workarounds for this vulnerability, but use of an external Web Application Firewall (WAF) could help mitigate this attack.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| pterodactyl | panel |
Version: < 1.11.11 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-49132",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-20T17:34:12.035579Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-20T17:34:24.439Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "panel",
"vendor": "pterodactyl",
"versions": [
{
"status": "affected",
"version": "\u003c 1.11.11"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Pterodactyl is a free, open-source game server management panel. Prior to version 1.11.11, using the /locales/locale.json with the locale and namespace query parameters, a malicious actor is able to execute arbitrary code without being authenticated. With the ability to execute arbitrary code it could be used to gain access to the Panel\u0027s server, read credentials from the Panel\u0027s config, extract sensitive information from the database, access files of servers managed by the panel, etc. This issue has been patched in version 1.11.11. There are no software workarounds for this vulnerability, but use of an external Web Application Firewall (WAF) could help mitigate this attack."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-20T16:56:41.403Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/pterodactyl/panel/security/advisories/GHSA-24wv-6c99-f843",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pterodactyl/panel/security/advisories/GHSA-24wv-6c99-f843"
},
{
"name": "https://github.com/pterodactyl/panel/commit/24c82b0e335fb5d7a844226b08abf9f176e592f0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pterodactyl/panel/commit/24c82b0e335fb5d7a844226b08abf9f176e592f0"
},
{
"name": "https://github.com/pterodactyl/panel/releases/tag/v1.11.11",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pterodactyl/panel/releases/tag/v1.11.11"
}
],
"source": {
"advisory": "GHSA-24wv-6c99-f843",
"discovery": "UNKNOWN"
},
"title": "Pterodactyl Panel Allows Unauthenticated Arbitrary Remote Code Execution"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-49132",
"datePublished": "2025-06-20T16:56:41.403Z",
"dateReserved": "2025-06-02T10:39:41.633Z",
"dateUpdated": "2025-06-20T17:34:24.439Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-34067 (GCVE-0-2024-34067)
Vulnerability from cvelistv5
Published
2024-05-03 17:38
Modified
2024-08-02 02:42
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Pterodactyl is a free, open-source game server management panel built with PHP, React, and Go. Importing a malicious egg or gaining access to wings instance could lead to cross site scripting (XSS) on the panel, which could be used to gain an administrator account on the panel. Specifically, the following things are impacted: Egg Docker images and Egg variables: Name, Environment variable, Default value, Description, Validation rules. Additionally, certain fields would reflect malicious input, but it would require the user knowingly entering such input to have an impact. To iterate, this would require an administrator to perform actions and can't be triggered by a normal panel user. This issue has has been addressed in version 1.11.6 and users are advised to upgrade. No workaround is available other than updating to the latest version of the panel.
References
| ► | URL | Tags |
|---|---|---|
|
|
||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| pterodactyl | panel |
Version: < 1.11.6 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:pterodactyl:panel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "panel",
"vendor": "pterodactyl",
"versions": [
{
"lessThan": "1.11.6",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-34067",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-03T20:23:13.647414Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-06T17:59:27.038Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:42:59.886Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/pterodactyl/panel/security/advisories/GHSA-384w-wffr-x63q",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/pterodactyl/panel/security/advisories/GHSA-384w-wffr-x63q"
},
{
"name": "https://github.com/pterodactyl/panel/commit/0dad4c5a488661f9adc27dd311542516d9bfa0f2",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/pterodactyl/panel/commit/0dad4c5a488661f9adc27dd311542516d9bfa0f2"
},
{
"name": "https://github.com/pterodactyl/panel/commit/1172d71d31561c4e465dabdf6b838e64de48ad16",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/pterodactyl/panel/commit/1172d71d31561c4e465dabdf6b838e64de48ad16"
},
{
"name": "https://github.com/pterodactyl/panel/commit/f671046947e4695b5e1c647df79305c1cefdf817",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/pterodactyl/panel/commit/f671046947e4695b5e1c647df79305c1cefdf817"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "panel",
"vendor": "pterodactyl",
"versions": [
{
"status": "affected",
"version": "\u003c 1.11.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Pterodactyl is a free, open-source game server management panel built with PHP, React, and Go. Importing a malicious egg or gaining access to wings instance could lead to cross site scripting (XSS) on the panel, which could be used to gain an administrator account on the panel. Specifically, the following things are impacted: Egg Docker images and Egg variables: Name, Environment variable, Default value, Description, Validation rules. Additionally, certain fields would reflect malicious input, but it would require the user knowingly entering such input to have an impact. To iterate, this would require an administrator to perform actions and can\u0027t be triggered by a normal panel user. This issue has has been addressed in version 1.11.6 and users are advised to upgrade. No workaround is available other than updating to the latest version of the panel."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-03T17:38:18.268Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/pterodactyl/panel/security/advisories/GHSA-384w-wffr-x63q",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pterodactyl/panel/security/advisories/GHSA-384w-wffr-x63q"
},
{
"name": "https://github.com/pterodactyl/panel/commit/0dad4c5a488661f9adc27dd311542516d9bfa0f2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pterodactyl/panel/commit/0dad4c5a488661f9adc27dd311542516d9bfa0f2"
},
{
"name": "https://github.com/pterodactyl/panel/commit/1172d71d31561c4e465dabdf6b838e64de48ad16",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pterodactyl/panel/commit/1172d71d31561c4e465dabdf6b838e64de48ad16"
},
{
"name": "https://github.com/pterodactyl/panel/commit/f671046947e4695b5e1c647df79305c1cefdf817",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pterodactyl/panel/commit/f671046947e4695b5e1c647df79305c1cefdf817"
}
],
"source": {
"advisory": "GHSA-384w-wffr-x63q",
"discovery": "UNKNOWN"
},
"title": "Multiple cross site scripting (XSS) vulnerabilities in the admin area of Pterodactyl panel"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-34067",
"datePublished": "2024-05-03T17:38:18.268Z",
"dateReserved": "2024-04-30T06:56:33.381Z",
"dateUpdated": "2024-08-02T02:42:59.886Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-1020002 (GCVE-0-2019-1020002)
Vulnerability from cvelistv5
Published
2019-07-29 14:25
Modified
2024-08-05 03:14
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- credential sniffing
Summary
Pterodactyl before 0.7.14 with 2FA allows credential sniffing.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pterodactyl | Pterodactyl Panel |
Version: < 0.7.14 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:14:15.311Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/pterodactyl/panel/security/advisories/GHSA-vcm9-hx3q-qwj8"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Pterodactyl Panel",
"vendor": "Pterodactyl",
"versions": [
{
"status": "affected",
"version": "\u003c 0.7.14"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Pterodactyl before 0.7.14 with 2FA allows credential sniffing."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "credential sniffing",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-07-29T14:25:23",
"orgId": "7556d962-6fb7-411e-85fa-6cd62f095ba8",
"shortName": "dwf"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pterodactyl/panel/security/advisories/GHSA-vcm9-hx3q-qwj8"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve-assign@distributedweaknessfiling.org",
"ID": "CVE-2019-1020002",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Pterodactyl Panel",
"version": {
"version_data": [
{
"version_value": "\u003c 0.7.14"
}
]
}
}
]
},
"vendor_name": "Pterodactyl"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Pterodactyl before 0.7.14 with 2FA allows credential sniffing."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "credential sniffing"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/pterodactyl/panel/security/advisories/GHSA-vcm9-hx3q-qwj8",
"refsource": "CONFIRM",
"url": "https://github.com/pterodactyl/panel/security/advisories/GHSA-vcm9-hx3q-qwj8"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7556d962-6fb7-411e-85fa-6cd62f095ba8",
"assignerShortName": "dwf",
"cveId": "CVE-2019-1020002",
"datePublished": "2019-07-29T14:25:23",
"dateReserved": "2019-07-26T00:00:00",
"dateUpdated": "2024-08-05T03:14:15.311Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-49762 (GCVE-0-2024-49762)
Vulnerability from cvelistv5
Published
2024-10-24 21:39
Modified
2024-10-25 17:20
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-313 - Cleartext Storage in a File or on Disk
Summary
Pterodactyl is a free, open-source game server management panel. When a user disables two-factor authentication via the Panel, a `DELETE` request with their current password in a query parameter will be sent. While query parameters are encrypted when using TLS, many webservers (including ones officially documented for use with Pterodactyl) will log query parameters in plain-text, storing a user's password in plain text. Prior to version 1.11.8, if a malicious user obtains access to these logs they could potentially authenticate against a user's account; assuming they are able to discover the account's email address or username separately. This problem has been patched in version 1.11.8. There are no workarounds at this time. There is not a direct vulnerability within the software as it relates to logs generated by intermediate components such as web servers or Layer 7 proxies. Updating to `v1.11.8` or adding the linked patch manually are the only ways to avoid this problem. As this vulnerability relates to historical logging of sensitive data, users who have ever disabled 2FA on a Panel (self-hosted or operated by a company) should change their passwords and consider enabling 2FA if it was left disabled. While it's unlikely that their account swill be compromised by this vulnerability, it's not impossible. Panel administrators should consider clearing any access logs that may contain sensitive data.
References
| ► | URL | Tags |
|---|---|---|
|
|
||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| pterodactyl | panel |
Version: < 1.11.8 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-49762",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-25T17:20:24.295846Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-25T17:20:35.873Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "panel",
"vendor": "pterodactyl",
"versions": [
{
"status": "affected",
"version": "\u003c 1.11.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Pterodactyl is a free, open-source game server management panel. When a user disables two-factor authentication via the Panel, a `DELETE` request with their current password in a query parameter will be sent. While query parameters are encrypted when using TLS, many webservers (including ones officially documented for use with Pterodactyl) will log query parameters in plain-text, storing a user\u0027s password in plain text. Prior to version 1.11.8, if a malicious user obtains access to these logs they could potentially authenticate against a user\u0027s account; assuming they are able to discover the account\u0027s email address or username separately. This problem has been patched in version 1.11.8. There are no workarounds at this time. There is not a direct vulnerability within the software as it relates to logs generated by intermediate components such as web servers or Layer 7 proxies. Updating to `v1.11.8` or adding the linked patch manually are the only ways to avoid this problem. As this vulnerability relates to historical logging of sensitive data, users who have ever disabled 2FA on a Panel (self-hosted or operated by a company) should change their passwords and consider enabling 2FA if it was left disabled. While it\u0027s unlikely that their account swill be compromised by this vulnerability, it\u0027s not impossible. Panel administrators should consider clearing any access logs that may contain sensitive data."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-313",
"description": "CWE-313: Cleartext Storage in a File or on Disk",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-24T21:39:24.986Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/pterodactyl/panel/security/advisories/GHSA-c479-wq8g-57hr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pterodactyl/panel/security/advisories/GHSA-c479-wq8g-57hr"
},
{
"name": "https://github.com/pterodactyl/panel/commit/75b59080e2812ced677dab516222b2a3bb34e3a4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pterodactyl/panel/commit/75b59080e2812ced677dab516222b2a3bb34e3a4"
},
{
"name": "https://github.com/pterodactyl/panel/commit/8be2b892c3940bdc0157ccdab16685a72d105dd1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pterodactyl/panel/commit/8be2b892c3940bdc0157ccdab16685a72d105dd1"
}
],
"source": {
"advisory": "GHSA-c479-wq8g-57hr",
"discovery": "UNKNOWN"
},
"title": "Pterodactyl Panel has plain-text logging of user passwords when two-factor authentication is disabled"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-49762",
"datePublished": "2024-10-24T21:39:24.986Z",
"dateReserved": "2024-10-18T13:43:23.456Z",
"dateUpdated": "2024-10-25T17:20:35.873Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2019-07-29 15:15
Modified
2024-11-21 04:18
Severity ?
Summary
Pterodactyl before 0.7.14 with 2FA allows credential sniffing.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| pterodactyl | panel | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pterodactyl:panel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5E9CAA02-D799-4D17-8183-AE5B031C4FF6",
"versionEndExcluding": "0.7.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Pterodactyl before 0.7.14 with 2FA allows credential sniffing."
},
{
"lang": "es",
"value": "Pterodactyl anterior a versi\u00f3n 0.7.14 con 2FA, permite el rastreo de credenciales."
}
],
"id": "CVE-2019-1020002",
"lastModified": "2024-11-21T04:18:10.280",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-07-29T15:15:11.763",
"references": [
{
"source": "josh@bress.net",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/pterodactyl/panel/security/advisories/GHSA-vcm9-hx3q-qwj8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/pterodactyl/panel/security/advisories/GHSA-vcm9-hx3q-qwj8"
}
],
"sourceIdentifier": "josh@bress.net",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-203"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-05-03 18:15
Modified
2025-06-06 19:15
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Pterodactyl is a free, open-source game server management panel built with PHP, React, and Go. Importing a malicious egg or gaining access to wings instance could lead to cross site scripting (XSS) on the panel, which could be used to gain an administrator account on the panel. Specifically, the following things are impacted: Egg Docker images and Egg variables: Name, Environment variable, Default value, Description, Validation rules. Additionally, certain fields would reflect malicious input, but it would require the user knowingly entering such input to have an impact. To iterate, this would require an administrator to perform actions and can't be triggered by a normal panel user. This issue has has been addressed in version 1.11.6 and users are advised to upgrade. No workaround is available other than updating to the latest version of the panel.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| pterodactyl | panel | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pterodactyl:panel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "ED188395-6608-4D08-BE62-00FED786112D",
"versionEndExcluding": "1.11.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Pterodactyl is a free, open-source game server management panel built with PHP, React, and Go. Importing a malicious egg or gaining access to wings instance could lead to cross site scripting (XSS) on the panel, which could be used to gain an administrator account on the panel. Specifically, the following things are impacted: Egg Docker images and Egg variables: Name, Environment variable, Default value, Description, Validation rules. Additionally, certain fields would reflect malicious input, but it would require the user knowingly entering such input to have an impact. To iterate, this would require an administrator to perform actions and can\u0027t be triggered by a normal panel user. This issue has has been addressed in version 1.11.6 and users are advised to upgrade. No workaround is available other than updating to the latest version of the panel."
},
{
"lang": "es",
"value": "Pterodactyl es un panel de administraci\u00f3n de servidor de juegos gratuito y de c\u00f3digo abierto creado con PHP, React y Go. Importar un huevo malicioso u obtener acceso a la instancia de Wings podr\u00eda generar cross-site scripting (XSS) en el panel, que podr\u00edan usarse para obtener una cuenta de administrador en el panel. Espec\u00edficamente, las siguientes cosas se ven afectadas: im\u00e1genes de Egg Docker y variables de Egg: nombre, variable de entorno, valor predeterminado, descripci\u00f3n, reglas de validaci\u00f3n. Adem\u00e1s, ciertos campos reflejar\u00edan entradas maliciosas, pero requerir\u00edan que el usuario ingresara dicha entrada a sabiendas para tener un impacto. Para iterar, esto requerir\u00eda que un administrador realizara acciones y no puede ser activado por un usuario normal del panel. Este problema se solucion\u00f3 en la versi\u00f3n 1.11.6 y se recomienda a los usuarios que actualicen. No hay otro workaround disponible que no sea actualizar a la \u00faltima versi\u00f3n del panel."
}
],
"id": "CVE-2024-34067",
"lastModified": "2025-06-06T19:15:40.140",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-05-03T18:15:09.573",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/pterodactyl/panel/commit/0dad4c5a488661f9adc27dd311542516d9bfa0f2"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/pterodactyl/panel/commit/1172d71d31561c4e465dabdf6b838e64de48ad16"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/pterodactyl/panel/commit/f671046947e4695b5e1c647df79305c1cefdf817"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/pterodactyl/panel/security/advisories/GHSA-384w-wffr-x63q"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/pterodactyl/panel/commit/0dad4c5a488661f9adc27dd311542516d9bfa0f2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/pterodactyl/panel/commit/1172d71d31561c4e465dabdf6b838e64de48ad16"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/pterodactyl/panel/commit/f671046947e4695b5e1c647df79305c1cefdf817"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/pterodactyl/panel/security/advisories/GHSA-384w-wffr-x63q"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-10-25 17:15
Modified
2024-11-21 06:25
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Summary
Pterodactyl is an open-source game server management panel built with PHP 7, React, and Go. In affected versions of Pterodactyl a malicious user can trigger a user logout if a signed in user visits a malicious website that makes a request to the Panel's sign-out endpoint. This requires a targeted attack against a specific Panel instance, and serves only to sign a user out. **No user details are leaked, nor is any user data affected, this is simply an annoyance at worst.** This is fixed in version 1.6.3.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/pterodactyl/panel/commit/45999ba4ee1b2dcb12b4a2fa2cedfb6b5d66fac2 | Patch, Third Party Advisory | |
| security-advisories@github.com | https://github.com/pterodactyl/panel/releases/tag/v1.6.3 | Product, Third Party Advisory | |
| security-advisories@github.com | https://github.com/pterodactyl/panel/security/advisories/GHSA-m49f-hcxp-6hm6 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/pterodactyl/panel/commit/45999ba4ee1b2dcb12b4a2fa2cedfb6b5d66fac2 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/pterodactyl/panel/releases/tag/v1.6.3 | Product, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/pterodactyl/panel/security/advisories/GHSA-m49f-hcxp-6hm6 | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| pterodactyl | panel | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pterodactyl:panel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FF3386D3-613D-47C9-BE15-C5E744A36799",
"versionEndExcluding": "1.6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Pterodactyl is an open-source game server management panel built with PHP 7, React, and Go. In affected versions of Pterodactyl a malicious user can trigger a user logout if a signed in user visits a malicious website that makes a request to the Panel\u0027s sign-out endpoint. This requires a targeted attack against a specific Panel instance, and serves only to sign a user out. **No user details are leaked, nor is any user data affected, this is simply an annoyance at worst.** This is fixed in version 1.6.3."
},
{
"lang": "es",
"value": "Pterodactyl es un panel de administraci\u00f3n de servidores de juegos de c\u00f3digo abierto construido con PHP 7, React y Go. En las versiones afectadas de Pterodactyl, un usuario malicioso puede desencadenar un cierre de sesi\u00f3n si un usuario que ha iniciado sesi\u00f3n visita un sitio web malicioso que realiza una petici\u00f3n al endpoint de cierre de sesi\u00f3n del Panel. Esto requiere un ataque dirigido contra una instancia espec\u00edfica del Panel y s\u00f3lo sirve para cerrar la sesi\u00f3n del usuario. **No son filtrados los detalles del usuario ni est\u00e1n afectados los datos del usuario; en el peor de los casos se trata simplemente de una molestia.** Esto es corregido en la versi\u00f3n 1.6.3"
}
],
"id": "CVE-2021-41176",
"lastModified": "2024-11-21T06:25:40.737",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-10-25T17:15:09.380",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/pterodactyl/panel/commit/45999ba4ee1b2dcb12b4a2fa2cedfb6b5d66fac2"
},
{
"source": "security-advisories@github.com",
"tags": [
"Product",
"Third Party Advisory"
],
"url": "https://github.com/pterodactyl/panel/releases/tag/v1.6.3"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/pterodactyl/panel/security/advisories/GHSA-m49f-hcxp-6hm6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/pterodactyl/panel/commit/45999ba4ee1b2dcb12b4a2fa2cedfb6b5d66fac2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product",
"Third Party Advisory"
],
"url": "https://github.com/pterodactyl/panel/releases/tag/v1.6.3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/pterodactyl/panel/security/advisories/GHSA-m49f-hcxp-6hm6"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-11-17 20:15
Modified
2024-11-21 06:25
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Summary
Pterodactyl is an open-source game server management panel built with PHP 7, React, and Go. Due to improperly configured CSRF protections on two routes, a malicious user could execute a CSRF-based attack against the following endpoints: Sending a test email and Generating a node auto-deployment token. At no point would any data be exposed to the malicious user, this would simply trigger email spam to an administrative user, or generate a single auto-deployment token unexpectedly. This token is not revealed to the malicious user, it is simply created unexpectedly in the system. This has been addressed in release `1.6.6`. Users may optionally manually apply the fixes released in v1.6.6 to patch their own systems.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/pterodactyl/panel/commit/bf9cbe2c6d5266c6914223e067c56175de7fc3a5 | Patch, Third Party Advisory | |
| security-advisories@github.com | https://github.com/pterodactyl/panel/security/advisories/GHSA-wwgq-9jhf-qgw6 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/pterodactyl/panel/commit/bf9cbe2c6d5266c6914223e067c56175de7fc3a5 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/pterodactyl/panel/security/advisories/GHSA-wwgq-9jhf-qgw6 | Patch, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| pterodactyl | panel | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pterodactyl:panel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4B4BD223-E350-4F4A-9F39-1B7EEFCB6E80",
"versionEndExcluding": "1.6.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Pterodactyl is an open-source game server management panel built with PHP 7, React, and Go. Due to improperly configured CSRF protections on two routes, a malicious user could execute a CSRF-based attack against the following endpoints: Sending a test email and Generating a node auto-deployment token. At no point would any data be exposed to the malicious user, this would simply trigger email spam to an administrative user, or generate a single auto-deployment token unexpectedly. This token is not revealed to the malicious user, it is simply created unexpectedly in the system. This has been addressed in release `1.6.6`. Users may optionally manually apply the fixes released in v1.6.6 to patch their own systems."
},
{
"lang": "es",
"value": "Pterodactyl es un panel de administraci\u00f3n de servidores de juegos de c\u00f3digo abierto construido con PHP 7, React y Go. Debido a protecciones de tipo CSRF configuradas inapropiadamente en dos rutas, un usuario malicioso podr\u00eda ejecutar un ataque basado en CSRF contra los siguientes endpoints: Env\u00edo de un correo electr\u00f3nico de prueba y Generaci\u00f3n de un token de autodespliegue de nodo. En ning\u00fan momento se expondr\u00eda ning\u00fan dato al usuario malicioso, esto simplemente desencadenar\u00eda el env\u00edo de correo electr\u00f3nico a un usuario administrativo, o generar\u00eda un \u00fanico token de auto-despliegue de forma inesperada. Este token no se revela al usuario malicioso, simplemente se crea inesperadamente en el sistema. Esto se ha abordado en la versi\u00f3n \"1.6.6\". Los usuarios pueden aplicar manualmente las correcciones publicadas en la versi\u00f3n v1.6.6 para parchear sus propios sistemas."
}
],
"id": "CVE-2021-41273",
"lastModified": "2024-11-21T06:25:56.407",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-11-17T20:15:10.400",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/pterodactyl/panel/commit/bf9cbe2c6d5266c6914223e067c56175de7fc3a5"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/pterodactyl/panel/security/advisories/GHSA-wwgq-9jhf-qgw6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/pterodactyl/panel/commit/bf9cbe2c6d5266c6914223e067c56175de7fc3a5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/pterodactyl/panel/security/advisories/GHSA-wwgq-9jhf-qgw6"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-10-06 20:15
Modified
2024-11-21 06:25
Severity ?
Summary
Pterodactyl is an open-source game server management panel built with PHP 7, React, and Go. A malicious user can modify the contents of a `confirmation_token` input during the two-factor authentication process to reference a cache value not associated with the login attempt. In rare cases this can allow a malicious actor to authenticate as a random user in the Panel. The malicious user must target an account with two-factor authentication enabled, and then must provide a correct two-factor authentication token before being authenticated as that user. Due to a validation flaw in the logic handling user authentication during the two-factor authentication process a malicious user can trick the system into loading credentials for an arbitrary user by modifying the token sent to the server. This authentication flaw is present in the `LoginCheckpointController@__invoke` method which handles two-factor authentication for a user. This controller looks for a request input parameter called `confirmation_token` which is expected to be a 64 character random alpha-numeric string that references a value within the Panel's cache containing a `user_id` value. This value is then used to fetch the user that attempted to login, and lookup their two-factor authentication token. Due to the design of this system, any element in the cache that contains only digits could be referenced by a malicious user, and whatever value is stored at that position would be used as the `user_id`. There are a few different areas of the Panel that store values into the cache that are integers, and a user who determines what those cache keys are could pass one of those keys which would cause this code pathway to reference an arbitrary user. At its heart this is a high-risk login bypass vulnerability. However, there are a few additional conditions that must be met in order for this to be successfully executed, notably: 1.) The account referenced by the malicious cache key must have two-factor authentication enabled. An account without two-factor authentication would cause an exception to be triggered by the authentication logic, thusly exiting this authentication flow. 2.) Even if the malicious user is able to reference a valid cache key that references a valid user account with two-factor authentication, they must provide a valid two-factor authentication token. However, due to the design of this endpoint once a valid user account is found with two-factor authentication enabled there is no rate-limiting present, thusly allowing an attacker to brute force combinations until successful. This leads to a third condition that must be met: 3.) For the duration of this attack sequence the cache key being referenced must continue to exist with a valid `user_id` value. Depending on the specific key being used for this attack, this value may disappear quickly, or be changed by other random user interactions on the Panel, outside the control of the attacker. In order to mitigate this vulnerability the underlying authentication logic was changed to use an encrypted session store that the user is therefore unable to control the value of. This completely removed the use of a user-controlled value being used. In addition, the code was audited to ensure this type of vulnerability is not present elsewhere.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| pterodactyl | panel | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pterodactyl:panel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "39D8D800-578B-42AB-BFCA-6FA76ABDDAE7",
"versionEndExcluding": "1.6.2",
"versionStartIncluding": "1.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Pterodactyl is an open-source game server management panel built with PHP 7, React, and Go. A malicious user can modify the contents of a `confirmation_token` input during the two-factor authentication process to reference a cache value not associated with the login attempt. In rare cases this can allow a malicious actor to authenticate as a random user in the Panel. The malicious user must target an account with two-factor authentication enabled, and then must provide a correct two-factor authentication token before being authenticated as that user. Due to a validation flaw in the logic handling user authentication during the two-factor authentication process a malicious user can trick the system into loading credentials for an arbitrary user by modifying the token sent to the server. This authentication flaw is present in the `LoginCheckpointController@__invoke` method which handles two-factor authentication for a user. This controller looks for a request input parameter called `confirmation_token` which is expected to be a 64 character random alpha-numeric string that references a value within the Panel\u0027s cache containing a `user_id` value. This value is then used to fetch the user that attempted to login, and lookup their two-factor authentication token. Due to the design of this system, any element in the cache that contains only digits could be referenced by a malicious user, and whatever value is stored at that position would be used as the `user_id`. There are a few different areas of the Panel that store values into the cache that are integers, and a user who determines what those cache keys are could pass one of those keys which would cause this code pathway to reference an arbitrary user. At its heart this is a high-risk login bypass vulnerability. However, there are a few additional conditions that must be met in order for this to be successfully executed, notably: 1.) The account referenced by the malicious cache key must have two-factor authentication enabled. An account without two-factor authentication would cause an exception to be triggered by the authentication logic, thusly exiting this authentication flow. 2.) Even if the malicious user is able to reference a valid cache key that references a valid user account with two-factor authentication, they must provide a valid two-factor authentication token. However, due to the design of this endpoint once a valid user account is found with two-factor authentication enabled there is no rate-limiting present, thusly allowing an attacker to brute force combinations until successful. This leads to a third condition that must be met: 3.) For the duration of this attack sequence the cache key being referenced must continue to exist with a valid `user_id` value. Depending on the specific key being used for this attack, this value may disappear quickly, or be changed by other random user interactions on the Panel, outside the control of the attacker. In order to mitigate this vulnerability the underlying authentication logic was changed to use an encrypted session store that the user is therefore unable to control the value of. This completely removed the use of a user-controlled value being used. In addition, the code was audited to ensure this type of vulnerability is not present elsewhere."
},
{
"lang": "es",
"value": "Pterodactyl es un panel de administraci\u00f3n de servidores de juegos de c\u00f3digo abierto construido con PHP 7, React y Go. Un usuario malicioso puede modificar el contenido de una entrada \"confirmation_token\" durante el proceso de autenticaci\u00f3n de dos factores para hacer referencia a un valor de cach\u00e9 no asociado con el intento de inicio de sesi\u00f3n. En casos excepcionales, esto puede permitir a un actor malicioso autenticarse como un usuario aleatorio en el Panel. El usuario malicioso debe dirigirse a una cuenta con la autenticaci\u00f3n de dos factores habilitada y luego debe proporcionar un token de autenticaci\u00f3n de dos factores correcto antes de ser autenticado como dicho usuario. Debido a un fallo de comprobaci\u00f3n en la l\u00f3gica que administra la autenticaci\u00f3n de usuario durante el proceso de autenticaci\u00f3n de dos factores, un usuario malicioso puede enga\u00f1ar al sistema para que cargue las credenciales de un usuario arbitrario modificando el token enviado al servidor. Este fallo de autenticaci\u00f3n est\u00e1 presente en el m\u00e9todo \"LoginCheckpointController@__invoke\" que maneja la autenticaci\u00f3n de dos factores para un usuario. Este controlador busca un par\u00e1metro de entrada de la petici\u00f3n llamado \"confirmation_token\" que se espera que sea una cadena alfanum\u00e9rica aleatoria de 64 caracteres que hace referencia a un valor dentro de la cach\u00e9 del Panel que contiene un valor \"user_id\". Este valor es usado para recuperar el usuario que ha intentado iniciar sesi\u00f3n y buscar su token de autenticaci\u00f3n de dos factores. Debido al dise\u00f1o de este sistema, cualquier elemento de la cach\u00e9 que contenga s\u00f3lo d\u00edgitos podr\u00eda ser referenciado por un usuario malicioso, y cualquier valor almacenado en esa posici\u00f3n ser\u00eda usado como el \"user_id\". Se presentan algunas \u00e1reas diferentes del Panel que almacenan valores en la cach\u00e9 que son enteros, y un usuario que determine cu\u00e1les son esas claves de la cach\u00e9 podr\u00eda pasar una de esas claves que causar\u00eda que esta v\u00eda de c\u00f3digo hiciera referencia a un usuario arbitrario. En el fondo, se trata de una vulnerabilidad de alto riesgo para omitir el inicio de sesi\u00f3n. Sin embargo, hay algunas condiciones adicionales que deben cumplirse para que esto se ejecute con \u00e9xito, en particular 1.) La cuenta a la que hace referencia la clave de cach\u00e9 maliciosa debe tener habilitada la autenticaci\u00f3n de dos factores. Una cuenta sin la autenticaci\u00f3n de dos factores causar\u00eda una excepci\u00f3n en la l\u00f3gica de autenticaci\u00f3n, saliendo as\u00ed de este flujo de autenticaci\u00f3n. 2.) Incluso si el usuario malicioso es capaz de hacer referencia a una clave de cach\u00e9 v\u00e1lida que hace referencia a una cuenta de usuario v\u00e1lida con autenticaci\u00f3n de dos factores, debe proporcionar un token de autenticaci\u00f3n de dos factores v\u00e1lido. Sin embargo, debido al dise\u00f1o de este endpoint, una vez que se encuentra una cuenta de usuario v\u00e1lida con la autenticaci\u00f3n de dos factores habilitada, no hay l\u00edmite de velocidad presente, permitiendo as\u00ed a un atacante hacer combinaciones de fuerza bruta hasta tener \u00e9xito. Esto conlleva a una tercera condici\u00f3n que debe cumplirse: 3.) Durante la duraci\u00f3n de esta secuencia de ataque, la clave de cach\u00e9 a la que se hace referencia debe seguir existiendo con un valor v\u00e1lido de \"user_id\". Dependiendo de la llave espec\u00edfica que se est\u00e9 usando para este ataque, este valor puede desaparecer r\u00e1pidamente, o ser cambiado por otras interacciones aleatorias del usuario en el Panel, fuera del control del atacante. Para mitigar esta vulnerabilidad, se modific\u00f3 la l\u00f3gica de autenticaci\u00f3n subyacente para utilizar un almac\u00e9n de sesi\u00f3n cifrado, cuyo valor no puede ser controlado por el usuario. Esto elimin\u00f3 por completo el uso de un valor controlado por el usuario. Adem\u00e1s, se audit\u00f3 el c\u00f3digo para asegurar que este tipo de vulnerabilidad no est\u00e1 presente en otros lugares"
}
],
"id": "CVE-2021-41129",
"lastModified": "2024-11-21T06:25:32.307",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 5.9,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2021-10-06T20:15:19.897",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/pterodactyl/panel/blob/v1.6.2/CHANGELOG.md#v162"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/pterodactyl/panel/commit/4a84c36009be10dbd83051ac1771662c056e4977"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/pterodactyl/panel/releases/tag/v1.6.2"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/pterodactyl/panel/security/advisories/GHSA-5vfx-8w6m-h3v4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/pterodactyl/panel/blob/v1.6.2/CHANGELOG.md#v162"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/pterodactyl/panel/commit/4a84c36009be10dbd83051ac1771662c056e4977"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/pterodactyl/panel/releases/tag/v1.6.2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/pterodactyl/panel/security/advisories/GHSA-5vfx-8w6m-h3v4"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-502"
},
{
"lang": "en",
"value": "CWE-639"
},
{
"lang": "en",
"value": "CWE-807"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}