CVE-2023-37469

Summary

CasaOS is an open-source personal cloud system. Prior to version 0.4.4, if an authenticated user using CasaOS is able to successfully connect to a controlled SMB server, they are able to execute arbitrary commands. Version 0.4.4 contains a patch for the issue.

Affected Software

VendorProductVersion RangeStatus
IceWhaleTechCasaOS< 0.4.4affected

Weaknesses

  • CWE-77: CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: total

References