CVE-2024-34066— Arbitrary File Write/Read in Pterodactyl wings
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2024-34066
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Arbitrary File Write/Read in Pterodactyl wings
Source: NVD (National Vulnerability Database)
Vulnerability Description
Pterodactyl wings is the server control plane for Pterodactyl Panel. If the Wings token is leaked either by viewing the node configuration or posting it accidentally somewhere, an attacker can use it to gain arbitrary file write and read access on the node the token is associated to. This issue has been addressed in version 1.11.12 and users are advised to upgrade. Users unable to upgrade may enable the `ignore_panel_config_updates` option as a workaround.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
对外部实体的文件或目录可访问
Source: NVD (National Vulnerability Database)
Vulnerability Title
Wings 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Wings是Pterodactyl Panel 的服务器控制界面。 Wings 1.11.12 之前版本存在安全漏洞,该漏洞源于Wings 令牌可以通过查看节点配置意外泄露,允许攻击者使用它来获得与令牌关联的节点上的任意文件写入和读取访问权限。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| pterodactyl | wings | < 1.11.12 | - |
II. Public POCs for CVE-2024-34066
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2024-34066
请登录查看更多情报信息。
- https://github.com/pterodactyl/wings/security/advisories/GHSA-gqmf-jqgv-v8fwx_refsource_CONFIRM
- https://nvd.nist.gov/vuln/detail/CVE-2024-34066
Same Patch Batch · pterodactyl · 2024-05-03 · 3 CVEs total
| CVE-2024-34068 | 6.4 MEDIUM | Server-side Request Forgery during remote file pull in Pterodactyl wings |
| CVE-2024-34067 | 6.1 MEDIUM | Multiple cross site scripting (XSS) vulnerabilities in the admin area of Pterodactyl panel |
IV. Related Vulnerabilities
Same product: wings
- CVE-2026-21696
Endless reprocessing/reupload of activity log data due to SQ - CVE-2024-34068
Server-side Request Forgery during remote file pull in Ptero - CVE-2024-27102
Improper isolation of server file access in github.com/ptero - CVE-2023-32080
Wings vulnerable to escape to host from installation contain - CVE-2023-25168
Symbolic Link (Symlink) Following allowing the deletion of f
Same vendor: pterodactyl
- CVE-2026-26016
Pterodactyl Panel Allows Cross-Node Server Configuration Dis - CVE-2026-21696
Endless reprocessing/reupload of activity log data due to SQ - CVE-2025-69199
Pterodactyl Wings's websocket endpoints have no visible rate - CVE-2025-69198
Pterodactyl's improper resource locking allows raced queries - CVE-2025-69197
Pterodactyl TOTPs can be reused during validity window
Same weakness: CWE-552
- CVE-2025-7389
Unauthorized Arbitrary File Read via RMI in AdminServer Inte - CVE-2019-25709
CF Image Hosting Script 1.6.5 Unauthorized Database Access - CVE-2026-33698
Chamilo LMS affected by unauthenticated RCE in main/install - CVE-2021-47960
Synology SSL VPN Client 安全漏洞 - CVE-2026-35446
LORIS has a path traversal in FilesDownloadHandler
V. Comments for CVE-2024-34066
No comments yet