CVE-2024-27102

HIGH EPSS 41.6%
Published Mar 13, 20242y ago · Modified Jun 17, 20262w ago
8.5 CVSS 3.1
High
Find Similar
Published Mar 13, 2024 2y ago
Last Modified Jun 17, 2026 2w ago

Description

Wings is the server control plane for Pterodactyl Panel. This vulnerability impacts anyone running the affected versions of Wings. The vulnerability can potentially be used to access files and directories on the host system. The full scope of impact is exactly unknown, but reading files outside of a server's base directory (sandbox root) is possible. In order to use this exploit, an attacker must have an existing "server" allocated and controlled by Wings. Details on the exploitation of this vulnerability are embargoed until March 27th, 2024 at 18:00 UTC. In order to mitigate this vulnerability, a full rewrite of the entire server filesystem was necessary. Because of this, the size of the patch is massive, however effort was made to reduce the amount of breaking changes. Users are advised to update to version 1.11.9. There are no known workarounds for this vulnerability.

CVSS Details

Base Score
8.5
Exploitability
1.8
Impact
6.0
Vector string
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector Network
Attack Complexity High
Privileges Required Low
User Interaction None
Scope Changed
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
41.6% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 3

CWE-22 Path Traversal Resource Mgmt
CWE-362
CWE-363

Affected Products 1

VendorProductVersionRange
pterodactylwings* <1.11.9

References 2

  • github.com https://github.com/pterodactyl/wings/commit/d1c0ca526007113a0f74f56eba99511b4e989287
    Patch
  • github.com https://github.com/pterodactyl/wings/security/advisories/GHSA-494h-9924-xww9
    Vendor Advisory

Remediation

  • github.com https://github.com/pterodactyl/wings/commit/d1c0ca526007113a0f74f56eba99511b4e989287
    Patch