Skip to the content.

DIVD-2023-00003 - OS command injection in CentOS CWP

Our reference DIVD-2023-00003
Case lead Max van der Horst
Researcher(s)
CVE(s)
Product CentOS Control Web Panel 7
Versions
  • All versions prior to 0.9.8.1147
Recommendation Upgrade to the latest version of CentOS CWP.
Status Open
Last modified 24 Jan 2023 11:25

Summary

An unauthenticated OS Command Injection vulnerability has been identified inside CentOS CWP 7 before version 0.9.8.1147. The login/index.php endpoint contains a vulnerable parameter, allowing unauthenticated attackers to execute bash commands. Misuse of this vulnerability could lead to the compromise of your system.

What you can do

Upgrade your CentOS CWP version to the patched version of 0.9.8.1147 or 0.9.8.1149 (latest).

What we are doing

DIVD is currently working to identify vulnerable parties and notify these. We do this by scanning for exposed CWP instances and examining this instance to determine whether the vulnerability is present. Owners of vulnerable instances receive a notification with the host information and remediation steps.

Timeline

Date Description
06 Jan 2023 Proof of Concept published on Github
11 Jan 2023 DIVD starts research on this vulnerability.
20 Nov 2023 DIVD conducts first scan.
gantt title DIVD-2023-00003 - OS command injection in CentOS CWP dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2023-00003 - OS command injection in CentOS CWP (still open) :2023-01-11, 2023-02-14 section Events Proof of Concept published on Github : milestone, 2023-01-06, 0d DIVD starts research on this vulnerability. : milestone, 2023-01-11, 0d DIVD conducts first scan. : milestone, 2023-11-20, 0d

More information