CVE-2024-34352: 1Panel arbitrary file write vulnerability

May 9, 2024 (updated February 7, 2025)

There are many command injections in the project, and some of them are not well filtered, leading to arbitrary file writes, and ultimately leading to RCEs. We can use the following mirror configuration write symbol > to achieve arbitrary file writing

References

github.com/1Panel-dev/1Panel
github.com/1Panel-dev/1Panel/security/advisories/GHSA-f8ch-w75v-c847
github.com/advisories/GHSA-f8ch-w75v-c847
nvd.nist.gov/vuln/detail/CVE-2024-34352
pkg.go.dev/vuln/GO-2024-2830

Code Behaviors & Features

Detect and mitigate CVE-2024-34352 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →