| { |
| "schema_version": "1.3.1", |
| "id": "GO-2024-2616", |
| "modified": "0001-01-01T00:00:00Z", |
| "published": "0001-01-01T00:00:00Z", |
| "aliases": [ |
| "CVE-2024-24765", |
| "GHSA-h5gf-cmm8-cg7c" |
| ], |
| "summary": "Path traversal and user privilege escalation in github.com/IceWhaleTech/CasaOS-UserService", |
| "details": "The UserService API contains a path traversal vulnerability that allows an attacker to obtain any file on the system, including the user database and system configuration. This can lead to privilege escalation and compromise of the system.", |
| "affected": [ |
| { |
| "package": { |
| "name": "github.com/IceWhaleTech/CasaOS-UserService", |
| "ecosystem": "Go" |
| }, |
| "ranges": [ |
| { |
| "type": "SEMVER", |
| "events": [ |
| { |
| "introduced": "0" |
| }, |
| { |
| "fixed": "0.4.7" |
| } |
| ] |
| } |
| ], |
| "ecosystem_specific": { |
| "imports": [ |
| { |
| "path": "github.com/IceWhaleTech/CasaOS-UserService/route/v1", |
| "symbols": [ |
| "GetUserImage" |
| ] |
| } |
| ] |
| } |
| } |
| ], |
| "references": [ |
| { |
| "type": "ADVISORY", |
| "url": "https://github.com/IceWhaleTech/CasaOS-UserService/security/advisories/GHSA-h5gf-cmm8-cg7c" |
| }, |
| { |
| "type": "FIX", |
| "url": "https://github.com/IceWhaleTech/CasaOS-UserService/commit/3f4558e23c0a9958f9a0e20aabc64aa8fd51840e" |
| }, |
| { |
| "type": "WEB", |
| "url": "https://github.com/IceWhaleTech/CasaOS-UserService/releases/tag/v0.4.7" |
| } |
| ], |
| "credits": [ |
| { |
| "name": "Cp0204" |
| } |
| ], |
| "database_specific": { |
| "url": "https://pkg.go.dev/vuln/GO-2024-2616" |
| } |
| } |
