Pterodactyl Panel - Remote Code Execution

Short Info

Level

Critical

Single Scan

Can be used by

Asset Owner

Estimated Time

10 seconds

Time Interval

10 days 20 hours

Scan only one

URL

Toolbox

-

Pterodactyl is a free, open-source game server management panel. Using the /locales/locale.json with the locale and namespace query parameters, a malicious actor is able to execute arbitrary code without being authenticated.

References:

https://github.com/pterodactyl/panel/security/advisories/GHSA-24wv-6c99-f843
https://github.com/pterodactyl/panel/commit/24c82b0e335fb5d7a844226b08abf9f176e592f0
https://github.com/pterodactyl/panel/releases/tag/v1.11.11

Remediation:
Upgrade to Pterodactyl version 1.11.11+. There are no software workarounds for this vulnerability, but use of an external Web Application Firewall (WAF) could help mitigate this attack.

Get started to protecting your digital assets

Start trial See the plans

Pterodactyl Panel - Remote Code Execution

Short Info

-

Detail

Category