SCA: security update for github.com/donknap/dpanel (GHSA-j752-cjcj-w847)

critical Tenable Cloud Security Plugin ID 434615

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Dpanel is a Docker visualization panel system which provides complete Docker management functions. The
Dpanel service contains a hardcoded JWT secret in its default configuration, allowing attackers to
generate valid JWT tokens and compromise the host machine. This security flaw allows attackers to analyze
the source code, discover the embedded secret, and craft legitimate JWT tokens. By forging these tokens,
an attacker can successfully bypass authentication mechanisms, impersonate privileged users, and gain
unauthorized administrative access. Consequently, this enables full control over the host machine,
potentially leading to severe consequences such as sensitive data exposure, unauthorized command
execution, privilege escalation, or further lateral movement within the network environment. This issue is
patched in version 1.6.1. A workaround for this vulnerability involves replacing the hardcoded secret with
a securely generated value and load it from secure configuration storage. (CVE-2025-30206)

See Also

https://github.com/advisories/GHSA-j752-cjcj-w847

Plugin Details

Severity: Critical

ID: 434615

Version: Revision 1.10

Type: Local

Family: SCA Checks

Published: 8/19/2025

Updated: 5/28/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 6.9

Percentile: 96.95

Vendor

Vendor Severity: Critical

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2025-30206

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 4/15/2025

Vulnerability Publication Date: 4/15/2025

Reference Information

CVE: CVE-2025-30206