1Panel Users Urged to Patch After Critical SQLi Flaws (CVE-2024-39911, CVSS 10) Discovered

by do son · July 22, 2024

A critical SQL injection vulnerability, collectively endangering millions of Linux servers worldwide found in the popular open-source server management tool, 1Panel. Identified as CVE-2024-39911, this SQL injection flaw, carries a maximum CVSS score of 10, indicating its potential for easy exploitation.

1Panel is celebrated for its modern, user-friendly interface that simplifies the management of Linux servers. It provides a range of functionalities, including host monitoring, file management, database management, and container management, making it an indispensable tool for administrators.

The vulnerability, CVE-2024-39911, involves an unspecified SQL injection via User-Agent handling. The flaw’s severity is amplified by the presence of multiple SQL injection points within the project, some of which are inadequately filtered. This oversight allows attackers to manipulate database queries, leading to arbitrary file writes and potentially resulting in remote code execution (RCE). Such exploits could enable attackers to take full control of affected servers, posing a critical risk to data integrity and system security.

Worryingly, proof-of-concept (PoC) and technical details for CVE-2024-39911 have already surfaced, raising the specter of widespread exploitation. The flaw’s ability to facilitate remote code execution (RCE) adds another layer of danger, allowing attackers to remotely install malware, steal sensitive data, or disrupt essential services.

1Panel developers have scrambled to release version v1.10.12-tls, which patches not only CVE-2024-39911 but also another critical SQLi vulnerability, CVE-2024-39907. Users are strongly urged to upgrade immediately, as no workarounds are available.