I was out looking for information on when the next update was coming through, and stumbled across this unsettling bit of news. Thought people should know.
IceWhaleTech–ZimaOS|ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the ZimaOS API endpoint http://<Zima_Server_IP:PORT>/v3/file?token=<token>&files=<file_path> is vulnerable to arbitrary file reading due to improper input validation. By manipulating the files parameter, authenticated users can read sensitive system files, including /etc/shadow, which contains password hashes for all users. This vulnerability exposes critical system data and poses a high risk for privilege escalation or system compromise. The vulnerability occurs because the API endpoint does not validate or restrict file paths provided via the files parameter. An attacker can exploit this by manipulating the file path to access sensitive files outside the intended directory. As of time of publication, no known patched versions are available.|2024-10-24|7.5|CVE-2024-48931|security-advisories@github.com
security-advisories@github.com|
IceWhaleTech–ZimaOS|ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the API endpoints in ZimaOS, such as http://<Server-IP>/v1/users/image?path=/var/lib/casaos/1/app_order.json and http://<Server-IP>/v1/users/image?path=/var/lib/casaos/1/system.json, expose sensitive data like installed applications and system information without requiring any authentication or authorization. This sensitive data leak can be exploited by attackers to gain detailed knowledge about the system setup, installed applications, and other critical information. As of time of publication, no known patched versions are available.|2024-10-24|7.5|CVE-2024-49357|security-advisories@github.com
security-advisories@github.com|
IceWhaleTech–ZimaOS|ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the API endpoint http://<Zima_Server_IP:PORT>/v2_1/file in ZimaOS is vulnerable to a directory traversal attack, allowing authenticated users to list the contents of any directory on the server. By manipulating the path parameter, attackers can access sensitive system directories such as /etc, potentially exposing critical configuration files and increasing the risk of further attacks. As of time of publication, no known patched versions are available.|2024-10-24|7.5|CVE-2024-49359|security-advisories@github.com
security-advisories@github.com|