oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: RCE in acme.sh < 3.0.6

From: Jan Schaumann <jschauma () netmeister org>
Date: Thu, 13 Jul 2023 12:26:38 -0400
Just closing the loop here: this has now been assigned
CVE-2023-38198:

https://www.cve.org/CVERecord?id=CVE-2023-38198


Jan Schaumann <jschauma () netmeister org> wrote:

Hi,

I don't think this has been raised here:

The acme.sh ACME client[1] prior to version 3.0.6[2] has
an RCE vulnerability allowing a hostile server to
execute arbitrary commands on the client[3].

I was unable to determine whether a CVE has been
requested for this issue; both the original discussion
and a second GitHub issue[4] have been inconclusively
closed for comments (I've reached out to the author).

The issue is also being discussed on Mozilla's
dev-security-policy[5].

-Jan

[1] https://github.com/acmesh-official/acme.sh
[2] https://github.com/acmesh-official/acme.sh/releases
[3] https://github.com/acmesh-official/acme.sh/issues/4659
[4] https://github.com/acmesh-official/acme.sh/issues/4665
[5] https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/heXVr8o83Ys
Previous By Date Next
Previous By Thread Next

Current thread: