[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] RCE in acme.sh < 3.0.6
From: Jan Schaumann <jschauma () netmeister ! org>
Date: 2023-06-14 22:33:25
Message-ID: ZIpANf8DGHFYVBFR () netmeister ! org
[Download RAW message or body]
Hi,
I don't think this has been raised here:
The acme.sh ACME client[1] prior to version 3.0.6[2] has
an RCE vulnerability allowing a hostile server to
execute arbitrary commands on the client[3].
I was unable to determine whether a CVE has been
requested for this issue; both the original discussion
and a second GitHub issue[4] have been inconclusively
closed for comments (I've reached out to the author).
The issue is also being discussed on Mozilla's
dev-security-policy[5].
-Jan
[1] https://github.com/acmesh-official/acme.sh
[2] https://github.com/acmesh-official/acme.sh/releases
[3] https://github.com/acmesh-official/acme.sh/issues/4659
[4] https://github.com/acmesh-official/acme.sh/issues/4665
[5] https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/heXVr8o83Ys
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic