[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] RCE in acme.sh < 3.0.6
From:       Jan Schaumann <jschauma () netmeister ! org>
Date:       2023-06-14 22:33:25
Message-ID: ZIpANf8DGHFYVBFR () netmeister ! org
[Download RAW message or body]

Hi,

I don't think this has been raised here:

The acme.sh ACME client[1] prior to version 3.0.6[2] has
an RCE vulnerability allowing a hostile server to
execute arbitrary commands on the client[3].

I was unable to determine whether a CVE has been
requested for this issue; both the original discussion
and a second GitHub issue[4] have been inconclusively
closed for comments (I've reached out to the author).

The issue is also being discussed on Mozilla's
dev-security-policy[5].

-Jan

[1] https://github.com/acmesh-official/acme.sh
[2] https://github.com/acmesh-official/acme.sh/releases
[3] https://github.com/acmesh-official/acme.sh/issues/4659
[4] https://github.com/acmesh-official/acme.sh/issues/4665
[5] https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/heXVr8o83Ys
[prev in list] [next in list] [prev in thread] [next in thread]