CVE-2024-34066

Arbitrary File Write/Read in Pterodactyl wings

Description

Pterodactyl wings is the server control plane for Pterodactyl Panel. If the Wings token is leaked either by viewing the node configuration or posting it accidentally somewhere, an attacker can use it to gain arbitrary file write and read access on the node the token is associated to. This issue has been addressed in version 1.11.12 and users are advised to upgrade. Users unable to upgrade may enable the `ignore_panel_config_updates` option as a workaround.

References

Link	Tags
https://github.com/pterodactyl/wings/security/advisories/GHSA-gqmf-jqgv-v8fw	patch vendor advisory mitigation
https://github.com/pterodactyl/wings/commit/5415f8ae07f533623bd8169836dd7e0b933964de	patch

Frequently Asked Questions

What is the severity of CVE-2024-34066?: CVE-2024-34066 has been scored as a high severity vulnerability.
How to fix CVE-2024-34066?: To fix CVE-2024-34066, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2024-34066 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2024-34066 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-34066?: CVE-2024-34066 affects pterodactyl wings.

This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.

Description

Category

CWE-552 – Files or Directories Accessible to External Parties

References

Frequently Asked Questions