Skip to content

Unchecked hostname resolution could allow access to local network resources by users outside the local network

Moderate severity GitHub Reviewed Published Jan 7, 2021 in pterodactyl/wings • Updated Jan 9, 2023

Package

gomod github.com/pterodactyl/wings (Go)

Affected versions

= 1.2.0

Patched versions

1.2.1

Description

Impact

A newly implemented route allowing users to download files from remote endpoints was not properly verifying the destination hostname for user provided URLs. This would allow malicious users to potentially access resources on local networks that would otherwise be inaccessible.

This vulnerability requires valid authentication credentials and is therefore not exploitable by unauthenticated users. If you are running an instance for yourself or other trusted individuals this impact is unlikely to be of major concern to you. However, you should still upgrade for security sake.

Patches

Users should upgrade to the latest version of Wings.

Workarounds

There is no workaround available that does not involve modifying Panel or Wings code.

References

@DaneEveritt DaneEveritt published to pterodactyl/wings Jan 7, 2021
Reviewed Jun 23, 2021
Published to the GitHub Advisory Database Jun 23, 2021
Last updated Jan 9, 2023

Severity

Moderate
6.4
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CVE ID

No known CVE

GHSA ID

GHSA-6rg3-8h8x-5xfv

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.