CVE-2024-39907: 1Panel has an SQL injection issue related to the orderBy clause

July 18, 2024

There are many sql injections in the project, and some of them are not well filtered, leading to arbitrary file writes, and ultimately leading to RCEs. The proof is as follows

References

github.com/1Panel-dev/1Panel
github.com/1Panel-dev/1Panel/commit/ff549a47937c1314e6ee08453a1d2128242440cd
github.com/1Panel-dev/1Panel/security/advisories/GHSA-5grx-v727-qmq6
github.com/advisories/GHSA-5grx-v727-qmq6
nvd.nist.gov/vuln/detail/CVE-2024-39907

Detect and mitigate CVE-2024-39907 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →