QwikSec

Security Database

CVE

CWE

Training

CVE-2023-37469

Published: Aug 24, 2023

Modified: Oct 2, 2024

PUBLISHED

CVSS v3.1

8.8

HIGH

Description

CasaOS is an open-source personal cloud system. Prior to version 0.4.4, if an authenticated user using CasaOS is able to successfully connect to a controlled SMB server, they are able to execute arbitrary commands. Version 0.4.4 contains a patch for the issue.

Vendor	Product	Versions
IceWhaleTech	CasaOS	affected `< 0.4.4`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

References

https://securitylab.github.com/advisories/GHSL-2022-119_CasaOS/

x_refsource_CONFIRM

https://github.com/IceWhaleTech/CasaOS/commit/af440eac5563644854ff33f72041e52d3fd1f47c

x_refsource_MISC

https://github.com/IceWhaleTech/CasaOS/blob/96e92842357230098c771bc41fd3baf46189b859/route/v1/samba.go#L121

x_refsource_MISC

https://github.com/IceWhaleTech/CasaOS/blob/96e92842357230098c771bc41fd3baf46189b859/service/connections.go#L58

x_refsource_MISC

https://github.com/IceWhaleTech/CasaOS/releases/tag/v0.4.4

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.