漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
Dokku: Host RCE via Maliciously Named OpenResty Include Files Injected Through eval
Vulnerability Description
Dokku is a docker-powered PaaS. Prior to 0.38.2, the openresty-vhosts plugin copies files from an app's openresty/http-includes/ git repository directory to the host and then interpolates their filenames, unescaped, into a single-quoted shell string that is later parsed by eval. A filename containing a single quote breaks the quoting and allows command substitution to execute arbitrary commands on the host as the dokku user during the app's next deploy. This vulnerability is fixed in 0.38.2.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Vulnerability Type
动态执行代码中指令转义处理不恰当(Eval注入)
Vulnerability Title
Dokku 代码注入漏洞
Vulnerability Description
Dokku Dokku是Dokku团队的一个云平台部署工具。 Dokku 0.38.2之前版本存在代码注入漏洞,该漏洞源于openresty-vhosts plugin在处理文件名时未进行转义,导致单引号破坏引号结构并允许命令替换,从而可在下次部署时以dokku用户身份执行任意命令。
CVSS Information
N/A
Vulnerability Type
N/A