Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/louislam/uptime-kuma: CVE-2023-36821 #1889

Closed
GoVulnBot opened this issue Jul 5, 2023 · 1 comment
Closed

x/vulndb: potential Go vuln in github.com/louislam/uptime-kuma: CVE-2023-36821 #1889

GoVulnBot opened this issue Jul 5, 2023 · 1 comment
Assignees
@jba
Labels
excluded: NOT_GO_CODE This vulnerability does not refer to a Go module.

Comments

@GoVulnBot
Copy link

CVE-2023-36821 references github.com/louislam/uptime-kuma, which may be a Go module.

Description:
Uptime Kuma, a self-hosted monitoring tool, allows an authenticated attacker to install a maliciously crafted plugin in versions prior to 1.22.1, which may lead to remote code execution. Uptime Kuma allows authenticated users to install plugins from an official list of plugins. This feature is currently disabled in the web interface, but the corresponding API endpoints are still available after login. After downloading a plugin, it's installed by calling npm install in the installation directory of the plugin. Because the plugin is not validated against the official list of plugins or installed with npm install --ignore-scripts, a maliciously crafted plugin taking advantage of npm scripts can gain remote code execution. Version 1.22.1 contains a patch for this issue.

References:

Cross references:
No existing reports found with this module or alias.

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/louislam/uptime-kuma
      vulnerable_at: 0.0.0-20230705130302-19873e5b9e06
      packages:
        - package: uptime-kuma
description: |-
    Uptime Kuma, a self-hosted monitoring tool, allows an authenticated attacker to
    install a maliciously crafted plugin in versions prior to 1.22.1, which may lead
    to remote code execution. Uptime Kuma allows authenticated users to install
    plugins from an official list of plugins. This feature is currently disabled in
    the web interface, but the corresponding API endpoints are still available after
    login. After downloading a plugin, it's installed by calling `npm install` in
    the installation directory of the plugin. Because the plugin is not validated
    against the official list of plugins or installed with `npm install
    --ignore-scripts`, a maliciously crafted plugin taking advantage of npm scripts
    can gain remote code execution. Version 1.22.1 contains a patch for this issue.
cves:
    - CVE-2023-36821
references:
    - advisory: https://github.com/louislam/uptime-kuma/security/advisories/GHSA-7grx-f945-mj96
    - fix: https://github.com/louislam/uptime-kuma/pull/3346
    - web: https://github.com/louislam/uptime-kuma/blob/8c60e902e1c76ecbbd1b0423b07ce615341cb850/server/plugins-manager.js#L210-L216
    - web: https://github.com/louislam/uptime-kuma/releases/tag/1.22.1
@jba jba self-assigned this Jul 7, 2023
@jba jba added the excluded: NOT_GO_CODE This vulnerability does not refer to a Go module. label Jul 7, 2023
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/508456 mentions this issue: data/excluded: batch add 14 excluded reports

@GoVulnBot GoVulnBot mentioned this issue Oct 9, 2023
Closed
@GoVulnBot GoVulnBot mentioned this issue Dec 2, 2023
Closed
This was referenced Dec 12, 2023
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jba jba

Labels
excluded: NOT_GO_CODE This vulnerability does not refer to a Go module.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@gopherbot @jba @GoVulnBot