{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-34066", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-04-30T06:56:33.381Z", "datePublished": "2024-05-03T17:42:12.412Z", "dateUpdated": "2024-08-02T02:42:59.879Z"}, "containers": {"cna": {"title": "Arbitrary File Write/Read in Pterodactyl wings", "problemTypes": [{"descriptions": [{"cweId": "CWE-552", "lang": "en", "description": "CWE-552: Files or Directories Accessible to External Parties", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/pterodactyl/wings/security/advisories/GHSA-gqmf-jqgv-v8fw", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/pterodactyl/wings/security/advisories/GHSA-gqmf-jqgv-v8fw"}, {"name": "https://github.com/pterodactyl/wings/commit/5415f8ae07f533623bd8169836dd7e0b933964de", "tags": ["x_refsource_MISC"], "url": "https://github.com/pterodactyl/wings/commit/5415f8ae07f533623bd8169836dd7e0b933964de"}], "affected": [{"vendor": "pterodactyl", "product": "wings", "versions": [{"version": "< 1.11.12", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-05-03T17:42:12.412Z"}, "descriptions": [{"lang": "en", "value": "Pterodactyl wings is the server control plane for Pterodactyl Panel. If the Wings token is leaked either by viewing the node configuration or posting it accidentally somewhere, an attacker can use it to gain arbitrary file write and read access on the node the token is associated to. This issue has been addressed in version 1.11.12 and users are advised to upgrade. Users unable to upgrade may enable the `ignore_panel_config_updates` option as a workaround."}], "source": {"advisory": "GHSA-gqmf-jqgv-v8fw", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-34066", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-05-03T20:26:38.404132Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:pterodactyl:wings:-:*:*:*:*:*:*:*"], "vendor": "pterodactyl", "product": "wings", "versions": [{"status": "affected", "version": "-", "lessThan": "1.11.12", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:42:52.402Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T02:42:59.879Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/pterodactyl/wings/security/advisories/GHSA-gqmf-jqgv-v8fw", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/pterodactyl/wings/security/advisories/GHSA-gqmf-jqgv-v8fw"}, {"name": "https://github.com/pterodactyl/wings/commit/5415f8ae07f533623bd8169836dd7e0b933964de", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/pterodactyl/wings/commit/5415f8ae07f533623bd8169836dd7e0b933964de"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/pterodactyl/wings/security/advisories/GHSA-gqmf-jqgv-v8fw", "name": "https://github.com/pterodactyl/wings/security/advisories/GHSA-gqmf-jqgv-v8fw", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/pterodactyl/wings/commit/5415f8ae07f533623bd8169836dd7e0b933964de", "name": "https://github.com/pterodactyl/wings/commit/5415f8ae07f533623bd8169836dd7e0b933964de", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T02:42:59.879Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-34066", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-05-03T20:26:38.404132Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:pterodactyl:wings:-:*:*:*:*:*:*:*"], "vendor": "pterodactyl", "product": "wings", "versions": [{"status": "affected", "version": "-", "lessThan": "1.11.12", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-03T20:27:34.738Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "Arbitrary File Write/Read in Pterodactyl wings", "source": {"advisory": "GHSA-gqmf-jqgv-v8fw", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "pterodactyl", "product": "wings", "versions": [{"status": "affected", "version": "< 1.11.12"}]}], "references": [{"url": "https://github.com/pterodactyl/wings/security/advisories/GHSA-gqmf-jqgv-v8fw", "name": "https://github.com/pterodactyl/wings/security/advisories/GHSA-gqmf-jqgv-v8fw", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/pterodactyl/wings/commit/5415f8ae07f533623bd8169836dd7e0b933964de", "name": "https://github.com/pterodactyl/wings/commit/5415f8ae07f533623bd8169836dd7e0b933964de", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Pterodactyl wings is the server control plane for Pterodactyl Panel. If the Wings token is leaked either by viewing the node configuration or posting it accidentally somewhere, an attacker can use it to gain arbitrary file write and read access on the node the token is associated to. This issue has been addressed in version 1.11.12 and users are advised to upgrade. Users unable to upgrade may enable the `ignore_panel_config_updates` option as a workaround."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-552", "description": "CWE-552: Files or Directories Accessible to External Parties"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-05-03T17:42:12.412Z"}}}, "cveMetadata": {"cveId": "CVE-2024-34066", "state": "PUBLISHED", "dateUpdated": "2024-08-02T02:42:59.879Z", "dateReserved": "2024-04-30T06:56:33.381Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-05-03T17:42:12.412Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pterodactyl:wings:*:*:*:*:*:*:*:*", "matchCriteriaId": "D05B5FFA-55EC-4269-A3D5-475EFBE44CF3", "versionEndExcluding": "1.11.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Pterodactyl wings is the server control plane for Pterodactyl Panel. If the Wings token is leaked either by viewing the node configuration or posting it accidentally somewhere, an attacker can use it to gain arbitrary file write and read access on the node the token is associated to. This issue has been addressed in version 1.11.12 and users are advised to upgrade. Users unable to upgrade may enable the `ignore_panel_config_updates` option as a workaround."}, {"lang": "es", "value": "Pterodactyl Wings es el plano de control del servidor para Pterodactyl Panel. Si el token Wings se filtra al ver la configuraci\u00f3n del nodo o al publicarlo accidentalmente en alg\u00fan lugar, un atacante puede usarlo para obtener acceso de escritura y lectura de archivos arbitrarios en el nodo al que est\u00e1 asociado el token. Este problema se solucion\u00f3 en la versi\u00f3n 1.11.12 y se recomienda a los usuarios que actualicen. Los usuarios que no puedan actualizar pueden habilitar la opci\u00f3n `ignore_panel_config_updates` como workaround."}], "id": "CVE-2024-34066", "lastModified": "2025-02-21T15:15:38.680", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-05-03T18:15:09.363", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/pterodactyl/wings/commit/5415f8ae07f533623bd8169836dd7e0b933964de"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Patch", "Vendor Advisory"], "url": "https://github.com/pterodactyl/wings/security/advisories/GHSA-gqmf-jqgv-v8fw"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/pterodactyl/wings/commit/5415f8ae07f533623bd8169836dd7e0b933964de"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mitigation", "Patch", "Vendor Advisory"], "url": "https://github.com/pterodactyl/wings/security/advisories/GHSA-gqmf-jqgv-v8fw"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-552"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-552"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{}