CasaOS contains weak JWT secrets
Critical severity
GitHub Reviewed
Published
Jul 17, 2023
in
IceWhaleTech/CasaOS
•
Updated Nov 11, 2023
Package
Affected versions
< 0.4.4
Patched versions
0.4.4
Description
Published to the GitHub Advisory Database
Jul 17, 2023
Reviewed
Jul 17, 2023
Published by the National Vulnerability Database
Jul 17, 2023
Last updated
Nov 11, 2023
Impact
Unauthenticated attackers can craft arbitrary JWTs and access features that usually require authentication and execute arbitrary commands as
root
on CasaOS instances.Patches
The problem was addressed by improving the validation of JWTs in 705bf1f. This patch is part of CasaOS 0.4.4.
Workarounds
Users should upgrade to CasaOS 0.4.4. If they can't, they should temporarily restrict access to CasaOS to untrusted users, for instance by not exposing it publicly.
References
References