[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] RCE in acme.sh < 3.0.6
From:       Jan Schaumann <jschauma () netmeister ! org>
Date:       2023-07-13 16:26:38
Message-ID: ZLAlvlNOdMKixhiG () netmeister ! org
[Download RAW message or body]

Just closing the loop here: this has now been assigned
CVE-2023-38198:

https://www.cve.org/CVERecord?id=CVE-2023-38198


Jan Schaumann <jschauma@netmeister.org> wrote:
> Hi,
> 
> I don't think this has been raised here:
> 
> The acme.sh ACME client[1] prior to version 3.0.6[2] has
> an RCE vulnerability allowing a hostile server to
> execute arbitrary commands on the client[3].
> 
> I was unable to determine whether a CVE has been
> requested for this issue; both the original discussion
> and a second GitHub issue[4] have been inconclusively
> closed for comments (I've reached out to the author).
> 
> The issue is also being discussed on Mozilla's
> dev-security-policy[5].
> 
> -Jan
> 
> [1] https://github.com/acmesh-official/acme.sh
> [2] https://github.com/acmesh-official/acme.sh/releases
> [3] https://github.com/acmesh-official/acme.sh/issues/4659
> [4] https://github.com/acmesh-official/acme.sh/issues/4665
> [5] https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/heXVr8o83Ys
[prev in list] [next in list] [prev in thread] [next in thread]