CVE-2023-36821: Uptime Kuma vulnerable to authenticated remote code execution via malicious plugin installation
Installation of a maliciously crafted plugin allows for remote code execution by an authenticated attacker.
References
- github.com/advisories/GHSA-7grx-f945-mj96
- github.com/louislam/uptime-kuma
- github.com/louislam/uptime-kuma/blob/8c60e902e1c76ecbbd1b0423b07ce615341cb850/server/plugins-manager.js
- github.com/louislam/uptime-kuma/commit/a0736e04b2838aae198c2110db244eab6f87757b
- github.com/louislam/uptime-kuma/pull/3346
- github.com/louislam/uptime-kuma/releases/tag/1.22.1
- github.com/louislam/uptime-kuma/security/advisories/GHSA-7grx-f945-mj96
- nvd.nist.gov/vuln/detail/CVE-2023-36821
Detect and mitigate CVE-2023-36821 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →