Wings
CVE-2024-34068
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionNVD
Pterodactyl wings is the server control plane for Pterodactyl Panel. An authenticated user who has access to a game server is able to bypass the previously implemented access control (GHSA-6rg3-8h8x-5xfv) that prevents accessing internal endpoints of the node hosting Wings in the pull endpoint. This would allow malicious users to potentially access resources on local networks that would otherwise be inaccessible. This issue has been addressed in version 1.11.2 and users are advised to upgrade. Users unable to upgrade may enable the api.disable_remote_download option as a workaround.
AnalysisAI
Pterodactyl wings is the server control plane for Pterodactyl Panel. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity.
Technical ContextAI
This vulnerability is classified under CWE-284. Pterodactyl wings is the server control plane for Pterodactyl Panel. An authenticated user who has access to a game server is able to bypass the previously implemented access control (GHSA-6rg3-8h8x-5xfv) that prevents accessing internal endpoints of the node hosting Wings in the pull endpoint. This would allow malicious users to potentially access resources on local networks that would otherwise be inaccessible. This issue has been addressed in version 1.11.2 and users are advised to upgrade. Users unable to upgrade may enable the api.disable_remote_download option as a workaround. Affected products include: Pterodactyl Wings. Version information: version 1.11.2.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
Wings for Pterodactyl versions 1.7.0 through 1.11.x fail to respect SQLite's maximum parameter limit when deleting activ
Wings is the server control plane for Pterodactyl Panel. Rated high severity (CVSS 8.8), this vulnerability is remotely
Wings is Pterodactyl's server control plane. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable,
Wings is the server control plane for Pterodactyl Panel. Rated high severity (CVSS 8.5), this vulnerability is remotely
Pterodactyl wings is the server control plane for Pterodactyl Panel. Rated high severity (CVSS 8.4), this vulnerability
Wings is Pterodactyl's server control plane. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable.
Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Prior to version 1.
Wings is the control plane software for the open source Pterodactyl game management system. Rated medium severity (CVSS
Pterodactyl is a free, open-source game server management panel. Versions 1.11.11 and below do not revoke active SFTP co
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today