Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-37266 PoC — CasaOS 授权问题漏洞

Source
https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-37266.yaml
Associated Vulnerability
Title:CasaOS 授权问题漏洞 (CVE-2023-37266)
Description:CasaOS是一个简单、易用、优雅的开源家庭云系统。 CasaOS 0.4.4之前版本存在授权问题漏洞。攻击者利用该漏洞可以制作任意JWT和访问通常需要身份验证的功能,并以root身份执行任意命令。
Description
CasaOS is an open-source Personal Cloud system. Unauthenticated attackers can craft arbitrary JWTs and access features that usually require authentication and execute arbitrary commands as `root` on CasaOS instances. This problem was addressed by improving the validation of JWTs in commit `705bf1f`. This patch is part of CasaOS 0.4.4. Users should upgrade to CasaOS 0.4.4. If they can't, they should temporarily restrict access to CasaOS to untrusted users, for instance by not exposing it publicly.
File Snapshot

 id: CVE-2023-37266

info:
  name: CasaOS  < 0.4.4 - Authentication Bypass via Random JWT Token
  aut

...
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.