CVE-2023-37265: Incorrect identification of source IP addresses in CasaOS

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2023-37265

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

Incorrect identification of source IP addresses in CasaOS

Source: NVD (National Vulnerability Database)

Vulnerability Description

CasaOS is an open-source Personal Cloud system. Due to a lack of IP address verification an unauthenticated attackers can execute arbitrary commands as `root` on CasaOS instances. The problem was addressed by improving the detection of client IP addresses in `391dd7f`. This patch is part of CasaOS 0.4.4. Users should upgrade to CasaOS 0.4.4. If they can't, they should temporarily restrict access to CasaOS to untrusted users, for instance by not exposing it publicly.

Source: NVD (National Vulnerability Database)

CVSS Information

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Source: NVD (National Vulnerability Database)

Vulnerability Type

关键功能的认证机制缺失

Source: NVD (National Vulnerability Database)

Vulnerability Title

CasaOS 访问控制错误漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

CasaOS是一个简单、易用、优雅的开源家庭云系统。 CasaOS 0.4.4之前版本存在访问控制错误漏洞，该漏洞源于缺乏验证IP地址。攻击者利用该漏洞可以以root身份执行任意命令。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
IceWhaleTech	CasaOS-Gateway	< 0.4.4	-

II. Public POCs for CVE-2023-37265

#	POC Description	Source Link	Shenlong Link
1	CasaOS is an open-source Personal Cloud system. Due to a lack of IP address verification an unauthenticated attackers can execute arbitrary commands as `root` on CasaOS instances. The problem was addressed by improving the detection of client IP addresses in `391dd7f`. This patch is part of CasaOS 0.4.4. Users should upgrade to CasaOS 0.4.4. If they can't, they should temporarily restrict access to CasaOS to untrusted users, for instance by not exposing it publicly.	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-37265.yaml	POC Details

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2023-37265

Please Login to view more intelligence information

https://www.sonarsource.com/blog/security-vulnerabilities-in-casaosx_refsource_MISC
https://github.com/IceWhaleTech/CasaOS-Gateway/security/advisories/GHSA-vjh7-5r6x-xh6gx_refsource_CONFIRM
https://github.com/IceWhaleTech/CasaOS-Gateway/commit/391dd7f0f239020c46bf057cfa25f82031fc15f7x_refsource_MISC
https://nvd.nist.gov/vuln/detail/CVE-2023-37265

IV. Related Vulnerabilities

Same vendor: IceWhaleTech

Same weakness: CWE-306

V. Comments for CVE-2023-37265

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

I. Basic Information for CVE-2023-37265

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2023-37265

III. Intelligence Information for CVE-2023-37265

IV. Related Vulnerabilities

V. Comments for CVE-2023-37265

Leave a comment