CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
91.4%
github.com/IceWhaleTech/CasaOS is vulnerable to Weak JWT Secrets. The vulnerability exists because the InitV1Router
function of v1.go
and InitV2Router
function of v2.go
does not properly validate the JWT tokens, which allows an attacker to send maliciously crafted JWTs and access the features that usually require authentication and execute arbitrary commands as root
on CasaOS instances.