Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <ZLAlvlNOdMKixhiG@netmeister.org>
Date: Thu, 13 Jul 2023 12:26:38 -0400
From: Jan Schaumann <jschauma@...meister.org>
To: oss-security@...ts.openwall.com
Subject: Re: RCE in acme.sh < 3.0.6

Just closing the loop here: this has now been assigned
CVE-2023-38198:

https://www.cve.org/CVERecord?id=CVE-2023-38198


Jan Schaumann <jschauma@...meister.org> wrote:
> Hi,
> 
> I don't think this has been raised here:
> 
> The acme.sh ACME client[1] prior to version 3.0.6[2] has
> an RCE vulnerability allowing a hostile server to
> execute arbitrary commands on the client[3].
> 
> I was unable to determine whether a CVE has been
> requested for this issue; both the original discussion
> and a second GitHub issue[4] have been inconclusively
> closed for comments (I've reached out to the author).
> 
> The issue is also being discussed on Mozilla's
> dev-security-policy[5].
> 
> -Jan
> 
> [1] https://github.com/acmesh-official/acme.sh
> [2] https://github.com/acmesh-official/acme.sh/releases
> [3] https://github.com/acmesh-official/acme.sh/issues/4659
> [4] https://github.com/acmesh-official/acme.sh/issues/4665
> [5] https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/heXVr8o83Ys

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.