CVE-2024-24768: 1Panel set-cookie is missing the Secure keyword

February 5, 2024 (updated January 20, 2025)

The https cookie that comes with the panel does not have the Secure keyword, which may cause the cookie to be sent in plain text when accessing http accidentally.

https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Headers/Set-Cookie#secure

References

github.com/1Panel-dev/1Panel
github.com/1Panel-dev/1Panel/commit/1169648162c4b9b48e0b4aa508f9dea4d6bc50d5
github.com/1Panel-dev/1Panel/pull/3817
github.com/1Panel-dev/1Panel/security/advisories/GHSA-9xfw-jjq2-7v8h
github.com/advisories/GHSA-9xfw-jjq2-7v8h
nvd.nist.gov/vuln/detail/CVE-2024-24768

Detect and mitigate CVE-2024-24768 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →