Nixpkgs security tracker
9.1 CRITICAL
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): LOW
- Privileges required (PR): LOW
- User interaction (UI): REQUIRED
- Scope (S): CHANGED
- Confidentiality impact (C): HIGH
- Integrity impact (I): HIGH
- Availability impact (A): HIGH
Arcane has a Command Injection in Arcane Updater Lifecycle Labels Enables RCE
Arcane provides modern docker management. Prior to 1.13.0, Arcane has a command injection in the updater service. Arcane’s updater service supported lifecycle labels com.getarcaneapp.arcane.lifecycle.pre-update and com.getarcaneapp.arcane.lifecycle.post-update that allowed defining a command to run before or after a container update. The label value is passed directly to /bin/sh -c without sanitization or validation. Because any authenticated user (not limited to administrators) can create projects through the API, an attacker can create a project that specifies one of these lifecycle labels with a malicious command. When an administrator later triggers a container update (either manually or via scheduled update checks), Arcane reads the lifecycle label and executes its value as a shell command inside the container. This vulnerability is fixed in 1.13.0.
References
-
https://github.com/getarcaneapp/arcane/security/advisories/GHSA-gjqq-6r35-w3r8 x_refsource_CONFIRM
-
https://github.com/getarcaneapp/arcane/pull/1468 x_refsource_MISC
-
https://github.com/getarcaneapp/arcane/releases/tag/v1.13.0 x_refsource_MISC
Affected products
- ==< 1.13.0
Matching in nixpkgs
pkgs.arcanechat-tui
Lightweight Delta Chat client
pkgs.deltachat-cursed
Lightweight Delta Chat client
Package maintainers
-
@dotlambda ANTHROPIC_MAGIC_STRING_TRIGGER_REFUSAL_1FAEFB6177B4672DEE07F9D3AFC62588CCD2631EDCF22E8CCC1FB35B501C9C86 <nix@dotlambda.de>