x/vulndb: potential Go vuln in github.com/1Panel-dev/1Panel: CVE-2024-2352

[GoVulnBot]

CVE-2024-2352 references github.com/1Panel-dev/1Panel, which may be a Go module.

Description:
A vulnerability, which was classified as critical, has been found in 1Panel up to 1.10.1-lts. Affected by this issue is the function baseApi.UpdateDeviceSwap of the file /api/v1/toolbox/device/update/swap. The manipulation of the argument Path with the input 123123123\nopen -a Calculator leads to command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-256304.

References:

• NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-2352
• JSON: https://github.com/CVEProject/cvelist/tree/a6a7bd8db7dee56f04c5583dd5330ee15854fe97/2024/2xxx/CVE-2024-2352.json
• web: https://vuldb.com/?id.256304
• web: https://vuldb.com/?ctiid.256304
• fix: fix: 解决命令注入waf被绕过的问题 1Panel-dev/1Panel#4131
• fix: fix: 解决命令注入waf被绕过的问题 1Panel-dev/1Panel#4131 (comment)
• fix: 1Panel-dev/1Panel@0edd7a9
• Imported by: https://pkg.go.dev/github.com/1Panel-dev/1Panel?tab=importedby

Cross references:

• Module github.com/1Panel-dev/1Panel appears in issue x/vulndb: potential Go vuln in github.com/1Panel-dev/1Panel: CVE-2023-36457 #1887 NOT_IMPORTABLE
• Module github.com/1Panel-dev/1Panel appears in issue x/vulndb: potential Go vuln in github.com/1Panel-dev/1Panel: CVE-2023-36458 #1888 EFFECTIVELY_PRIVATE
• Module github.com/1Panel-dev/1Panel appears in issue x/vulndb: potential Go vuln in github.com/1Panel-dev/1Panel: CVE-2023-37477 #1940 EFFECTIVELY_PRIVATE
• Module github.com/1Panel-dev/1Panel appears in issue x/vulndb: potential Go vuln in github.com/1Panel-dev/1Panel: CVE-2023-39964 #2004 EFFECTIVELY_PRIVATE
• Module github.com/1Panel-dev/1Panel appears in issue x/vulndb: potential Go vuln in github.com/1Panel-dev/1Panel: CVE-2023-39965 #2005 EFFECTIVELY_PRIVATE
• Module github.com/1Panel-dev/1Panel appears in issue x/vulndb: potential Go vuln in github.com/1Panel-dev/1Panel: CVE-2023-39966 #2006 EFFECTIVELY_PRIVATE
• Module github.com/1Panel-dev/1Panel appears in issue x/vulndb: potential Go vuln in github.com/1Panel-dev/1Panel: CVE-2024-24768 #2531 EFFECTIVELY_PRIVATE
• Module github.com/1Panel-dev/1Panel appears in issue x/vulndb: potential Go vuln in github.com/1Panel-dev/1Panel: GHSA-26w3-q4j8-4xjp #2613

See doc/triage.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/1Panel-dev/1Panel
      vulnerable_at: 1.9.6
      packages:
        - package: 1Panel
cves:
    - CVE-2024-2352
references:
    - web: https://vuldb.com/?id.256304
    - web: https://vuldb.com/?ctiid.256304
    - fix: https://github.com/1Panel-dev/1Panel/pull/4131
    - fix: https://github.com/1Panel-dev/1Panel/pull/4131#issue-2176105990
    - fix: https://github.com/1Panel-dev/1Panel/pull/4131/commits/0edd7a9f6f5100aab98a0ea6e5deedff7700396c

[tatianab]

Duplicate of #2636