VYPR
High severityNVD Advisory· Published Mar 6, 2024· Updated Aug 6, 2024

CasaOS-UserService allows unauthorized access to any file

CVE-2024-24765

Description

CasaOS-UserService provides user management functionalities to CasaOS. Prior to version 0.4.7, path filtering of the URL for user avatar image files was not strict, making it possible to get any file on the system. This could allow an unauthorized actor to access, for example, the CasaOS user database, and possibly obtain system root privileges. Version 0.4.7 fixes this issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/IceWhaleTech/CasaOS-UserServiceGo
< 0.4.70.4.7

Affected products

2

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.