Impact
OliveTin’s template engine uses a single shared instance for parsing templates, which creates a race condition (CWE-362) and demonstrates improper synchronization (CWE-567) when multiple command executions occur concurrently. One request can overwrite the template parse tree while another is executing it, leading to cross‑request command contamination, the execution of unintended shell commands with the privileges of the OliveTin service, and a Go runtime panic that can disrupt availability. The primary impact is the potential for unintended command execution and denial of service through panics.
Affected Systems
The vulnerability affects OliveTin versions 3000.0.0 and earlier, as distributed by OliveTin. The issue was fixed in OliveTin 3000.13.0.
Risk and Exploitability
The CVSS score of 7.5 indicates a high severity rating, but the EPSS score of <1% shows a very low likelihood of exploitation in the wild. The issue is not listed in CISA’s KEV catalog. Based on the description, it is inferred that an attacker who can trigger concurrent web requests to the OliveTin interface could create a race condition that results in unintended command execution or a runtime panic. No specific authentication or privilege requirements are stated.
OpenCVE Enrichment
Github GHSA