oss-sec mailing list archives
RCE in acme.sh < 3.0.6
From: Jan Schaumann <jschauma () netmeister org>
Date: Wed, 14 Jun 2023 18:33:25 -0400
Hi, I don't think this has been raised here: The acme.sh ACME client[1] prior to version 3.0.6[2] has an RCE vulnerability allowing a hostile server to execute arbitrary commands on the client[3]. I was unable to determine whether a CVE has been requested for this issue; both the original discussion and a second GitHub issue[4] have been inconclusively closed for comments (I've reached out to the author). The issue is also being discussed on Mozilla's dev-security-policy[5]. -Jan [1] https://github.com/acmesh-official/acme.sh [2] https://github.com/acmesh-official/acme.sh/releases [3] https://github.com/acmesh-official/acme.sh/issues/4659 [4] https://github.com/acmesh-official/acme.sh/issues/4665 [5] https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/heXVr8o83Ys
Current thread:
- RCE in acme.sh < 3.0.6 Jan Schaumann (Jun 14)