CVE-2024-49762: Pterodactyl Panel has plain-text logging of user passwords when two-factor authentication is disabled
(updated )
When a user disables two-factor authentication via the Panel, a DELETE
request with their current password in a query parameter will be sent. While query parameters are encrypted when using TLS, many webservers (including ones officially documented for use with Pterodactyl) will log query parameters in plain-text, storing a user’s password in plain text.
If a malicious user obtains access to these logs they could potentially authenticate against a user’s account; assuming they are able to discover the account’s email address or username separately.
References
- github.com/advisories/GHSA-c479-wq8g-57hr
- github.com/pterodactyl/panel
- github.com/pterodactyl/panel/commit/75b59080e2812ced677dab516222b2a3bb34e3a4
- github.com/pterodactyl/panel/commit/8be2b892c3940bdc0157ccdab16685a72d105dd1
- github.com/pterodactyl/panel/security/advisories/GHSA-c479-wq8g-57hr
- nvd.nist.gov/vuln/detail/CVE-2024-49762
Detect and mitigate CVE-2024-49762 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →