Casaos
CVE-2023-37469
HIGH
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
CasaOS is an open-source personal cloud system. Prior to version 0.4.4, if an authenticated user using CasaOS is able to successfully connect to a controlled SMB server, they are able to execute arbitrary commands. Version 0.4.4 contains a patch for the issue.
AnalysisAI
CasaOS is an open-source personal cloud system. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Technical ContextAI
This vulnerability is classified as Command Injection (CWE-77), which allows attackers to inject arbitrary commands into system command execution. CasaOS is an open-source personal cloud system. Prior to version 0.4.4, if an authenticated user using CasaOS is able to successfully connect to a controlled SMB server, they are able to execute arbitrary commands. Version 0.4.4 contains a patch for the issue. Affected products include: Icewhale Casaos. Version information: version 0.4.4.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Use parameterized APIs, avoid shell execution, validate input with strict allowlists.
CasaOS-UserService provides user management functionalities to CasaOS. Rated critical severity (CVSS 9.8), this vulnerab
CasaOS-UserService provides user management functionalities to CasaOS. Rated critical severity (CVSS 9.8), this vulnerab
CasaOS is an open-source Personal Cloud system. Rated critical severity (CVSS 9.8), this vulnerability is remotely explo
CasaOS is an open-source Personal Cloud system. Rated critical severity (CVSS 9.8), this vulnerability is remotely explo
CasaOS before v0.2.7 was discovered to contain a command injection vulnerability. Rated critical severity (CVSS 9.8), th
Casaos contains a vulnerability that allows attackers to retrieve sensitive configuration files and system debug informa
Same weakness CWE-77 – Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today