CVE-2023-37266: CasaOS contains weak JWT secrets
(updated )
Unauthenticated attackers can craft arbitrary JWTs and access features that usually require authentication and execute arbitrary commands as root
on CasaOS instances.
References
- github.com/IceWhaleTech/CasaOS
- github.com/IceWhaleTech/CasaOS/commit/705bf1facbffd2ca40b159b0303132b6fdf657ad
- github.com/IceWhaleTech/CasaOS/security/advisories/GHSA-m5q5-8mfw-p2hr
- github.com/advisories/GHSA-m5q5-8mfw-p2hr
- nvd.nist.gov/vuln/detail/CVE-2023-37266
- pkg.go.dev/vuln/GO-2023-1931
- www.sonarsource.com/blog/security-vulnerabilities-in-casaos
Detect and mitigate CVE-2023-37266 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →