CVE-2024-39907 – CVE-2024-39907 is a critical SQL injection vuln... (How to Fix)

Q: What is the severity of CVE-2024-39907?

CVE-2024-39907 has a CVSS score of 9.8 (CRITICAL). CVE-2024-39907 is a critical SQL injection vulnerability in 1Panel, a web-based Linux server management control panel. The vulnerability allows attackers to write arbitrary files to the system, leading to remote code execution (RCE). All users running 1Panel versions before 1.10.12-tls are affected.

📋 TL;DR

CVE-2024-39907 is a critical SQL injection vulnerability in 1Panel, a web-based Linux server management control panel. The vulnerability allows attackers to write arbitrary files to the system, leading to remote code execution (RCE). All users running 1Panel versions before 1.10.12-tls are affected.

💻 Affected Systems

Products:

1Panel

Versions: All versions before 1.10.12-tls

Operating Systems: Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all 1Panel installations regardless of configuration. The web interface must be accessible for exploitation.

📦 What is this software?

1panel by Fit2cloud

View all CVEs affecting 1panel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining root privileges, data exfiltration, installation of persistent backdoors, and complete control over managed servers.

🟠

Likely Case

Unauthorized access to server management functions, database manipulation, and potential lateral movement to other systems.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls, but still significant risk to the 1Panel instance.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

SQL injection vulnerabilities are well-understood and frequently weaponized. The advisory suggests multiple injection points exist.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.10.12-tls

Vendor Advisory: https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-5grx-v727-qmq6

Restart Required: Yes

Instructions:

1. Backup your 1Panel configuration and data. 2. Stop the 1Panel service. 3. Update to version 1.10.12-tls using the official update mechanism. 4. Restart the 1Panel service. 5. Verify the update was successful.

🧯 If You Can't Patch

Immediately restrict network access to the 1Panel web interface using firewall rules to only allow trusted IP addresses.
Monitor system logs and network traffic for suspicious activity related to SQL queries or file writes.

🔍 How to Verify

Check if Vulnerable:

Check the 1Panel version in the web interface dashboard or run: docker exec 1panel cat /opt/1panel/version

Check Version:

docker exec 1panel cat /opt/1panel/version

Verify Fix Applied:

Confirm the version is 1.10.12-tls or later using the same method as checking vulnerability.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL query patterns in application logs
Unexpected file write operations in system logs
Failed authentication attempts followed by successful SQL queries

Network Indicators:

HTTP requests containing SQL injection payloads to 1Panel endpoints
Unusual outbound connections from the 1Panel server

SIEM Query:

source="1panel.logs" AND (message="*sql*" OR message="*inject*" OR message="*UNION*" OR message="*SELECT*" OR message="*file_write*")

📊 Metadata

CVE ID: CVE-2024-39907

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: July 18, 2024

Last Updated: November 21, 2024

🔗 References

https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-5grx-v727-qmq6 Exploit,Third Party Advisory
https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-5grx-v727-qmq6 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-39907, you might also want to check these: