Symbolic Link (Symlink) Following allowing the deletion of files and directories on the host system in wings
Description
Wings is Pterodactyl's server control plane. This vulnerability can be used to delete files and directories recursively on the host system. This vulnerability can be combined with GHSA-p8r3-83r8-jwj5 to overwrite files on the host system. In order to use this exploit, an attacker must have an existing "server" allocated and controlled by Wings. This vulnerability has been resolved in version v1.11.4 of Wings, and has been back-ported to the 1.7 release series in v1.7.4. Anyone running v1.11.x should upgrade to v1.11.4 and anyone running v1.7.x should upgrade to v1.7.4. There are no known workarounds for this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/pterodactyl/wingsGo | < 1.7.4 | 1.7.4 |
github.com/pterodactyl/wingsGo | >= 1.11.0, < 1.11.4 | 1.11.4 |
Affected products
2- Range: < 1.7.4
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-66p8-j459-rq63ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-25168ghsaADVISORY
- github.com/pterodactyl/wings/commit/429ac62dba22997a278bc709df5ac00a5a25d83dghsax_refsource_MISCWEB
- github.com/pterodactyl/wings/security/advisories/GHSA-66p8-j459-rq63ghsax_refsource_CONFIRMWEB
- github.com/pterodactyl/wings/security/advisories/GHSA-p8r3-83r8-jwj5ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.