[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] RCE in acme.sh < 3.0.6
From: Jan Schaumann <jschauma () netmeister ! org>
Date: 2023-07-13 16:26:38
Message-ID: ZLAlvlNOdMKixhiG () netmeister ! org
[Download RAW message or body]
Just closing the loop here: this has now been assigned
CVE-2023-38198:
https://www.cve.org/CVERecord?id=CVE-2023-38198
Jan Schaumann <jschauma@netmeister.org> wrote:
> Hi,
>
> I don't think this has been raised here:
>
> The acme.sh ACME client[1] prior to version 3.0.6[2] has
> an RCE vulnerability allowing a hostile server to
> execute arbitrary commands on the client[3].
>
> I was unable to determine whether a CVE has been
> requested for this issue; both the original discussion
> and a second GitHub issue[4] have been inconclusively
> closed for comments (I've reached out to the author).
>
> The issue is also being discussed on Mozilla's
> dev-security-policy[5].
>
> -Jan
>
> [1] https://github.com/acmesh-official/acme.sh
> [2] https://github.com/acmesh-official/acme.sh/releases
> [3] https://github.com/acmesh-official/acme.sh/issues/4659
> [4] https://github.com/acmesh-official/acme.sh/issues/4665
> [5] https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/heXVr8o83Ys
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic