Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 14 Jun 2023 18:33:25 -0400
From: Jan Schaumann <jschauma@...meister.org>
To: oss-security@...ts.openwall.com
Subject: RCE in acme.sh < 3.0.6

Hi,

I don't think this has been raised here:

The acme.sh ACME client[1] prior to version 3.0.6[2] has
an RCE vulnerability allowing a hostile server to
execute arbitrary commands on the client[3].

I was unable to determine whether a CVE has been
requested for this issue; both the original discussion
and a second GitHub issue[4] have been inconclusively
closed for comments (I've reached out to the author).

The issue is also being discussed on Mozilla's
dev-security-policy[5].

-Jan

[1] https://github.com/acmesh-official/acme.sh
[2] https://github.com/acmesh-official/acme.sh/releases
[3] https://github.com/acmesh-official/acme.sh/issues/4659
[4] https://github.com/acmesh-official/acme.sh/issues/4665
[5] https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/heXVr8o83Ys

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.