SCA: security update for github.com/IceWhaleTech/CasaOS (GHSA-m5q5-8mfw-p2hr)

critical Tenable Self-Hosted Container Security Plugin ID 416755

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- CasaOS is an open-source Personal Cloud system. Unauthenticated attackers can craft arbitrary JWTs and
access features that usually require authentication and execute arbitrary commands as `root` on CasaOS
instances. This problem was addressed by improving the validation of JWTs in commit `705bf1f`. This patch
is part of CasaOS 0.4.4. Users should upgrade to CasaOS 0.4.4. If they can't, they should temporarily
restrict access to CasaOS to untrusted users, for instance by not exposing it publicly. (CVE-2023-37266)

See Also

https://github.com/advisories/GHSA-m5q5-8mfw-p2hr

Plugin Details

Severity: Critical

ID: 416755

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/1/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 6.9

Percentile: 97.07

Vendor

Vendor Severity: Critical

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2023-37266

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 7/17/2023

Vulnerability Publication Date: 7/17/2023

Reference Information

CVE: CVE-2023-37266