Server-side Request Forgery (SSRF) Affecting github.com/pterodactyl/wings package, versions <1.2.1


0.0
medium
  • Attack Complexity

    Low

  • Scope

    Changed

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id

    SNYK-GOLANG-GITHUBCOMPTERODACTYLWINGS-1314359

  • published

    24 Jun 2021

  • disclosed

    23 Jun 2021

  • credit

    Unknown

How to fix?

Upgrade github.com/pterodactyl/wings to version 1.2.1 or higher.

Overview

github.com/pterodactyl/wings is a The server control plane for Pterodactyl Panel. Written from the ground-up with security, speed, and stability in mind.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF). Unchecked hostname resolution could allow access to local network resources by users outside the local network. A newly implemented route allowing users to download files from remote endpoints was not properly verifying the destination hostname for user provided URLs. This would allow malicious users to potentially access resources on local networks that would otherwise be inaccessible.

This vulnerability requires valid authentication credentials and is therefore not exploitable by unauthenticated users. If you are running an instance for yourself or other trusted individuals this impact is unlikely to be of major concern to you. However, you should still upgrade for security sake.