CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2021-41129 – Authentication bypass in Pterodactyl
https://notcve.org/view.php?id=CVE-2021-41129
Pterodactyl is an open-source game server management panel built with PHP 7, React, and Go. A malicious user can modify the contents of a `confirmation_token` input during the two-factor authentication process to reference a cache value not associated with the login attempt. In rare cases this can allow a malicious actor to authenticate as a random user in the Panel. The malicious user must target an account with two-factor authentication enabled, and then must provide a correct two-factor authentication token before being authenticated as that user. Due to a validation flaw in the logic handling user authentication during the two-factor authentication process a malicious user can trick the system into loading credentials for an arbitrary user by modifying the token sent to the server. • https://github.com/pterodactyl/panel/blob/v1.6.2/CHANGELOG.md#v162 https://github.com/pterodactyl/panel/commit/4a84c36009be10dbd83051ac1771662c056e4977 https://github.com/pterodactyl/panel/releases/tag/v1.6.2 https://github.com/pterodactyl/panel/security/advisories/GHSA-5vfx-8w6m-h3v4 • CWE-287: Improper Authentication CWE-502: Deserialization of Untrusted Data CWE-639: Authorization Bypass Through User-Controlled Key CWE-807: Reliance on Untrusted Inputs in a Security Decision •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-32699 – Asymmetric Resource Consumption (Amplification) in Docker containers created by Wings
https://notcve.org/view.php?id=CVE-2021-32699
Wings is the control plane software for the open source Pterodactyl game management system. All versions of Pterodactyl Wings prior to `1.4.4` are vulnerable to system resource exhaustion due to improper container process limits being defined. A malicious user can consume more resources than intended and cause downstream impacts to other clients on the same hardware, eventually causing the physical server to stop responding. Users should upgrade to `1.4.4` to mitigate the issue. There is no non-code based workaround for impacted versions of the software. • https://github.com/pterodactyl/wings/commit/e0078eee0a71d61573a94c75e6efcad069d78de3 https://github.com/pterodactyl/wings/security/advisories/GHSA-jj6m-r8jc-2gp7 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2019-1020002
https://notcve.org/view.php?id=CVE-2019-1020002
Pterodactyl before 0.7.14 with 2FA allows credential sniffing. Pterodactyl anterior a versión 0.7.14 con 2FA, permite el rastreo de credenciales. • https://github.com/pterodactyl/panel/security/advisories/GHSA-vcm9-hx3q-qwj8 • CWE-203: Observable Discrepancy •