CVE-2023-36457: 
vulnerability analysis and mitigation

1Panel, an open source Linux server operation and maintenance management panel, was found to contain a command injection vulnerability (CVE-2023-36457) prior to version 1.3.6. An authenticated attacker could craft a malicious payload to achieve command injection when adding container repositories (GitHub Advisory).

The vulnerability exists in the container repository management functionality, specifically in the backend files 'backend\app\api\v1\imagerepo.go#create' and 'backend\app\service\imagerepo.go#CheckConn'. The issue allows command injection through the username field when adding or updating container repositories. The vulnerability has a CVSS v3.1 base score of 6.3 MEDIUM (Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) according to GitHub's assessment, while NVD rates it as 8.8 HIGH (Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) (NVD).

The vulnerability allows authenticated attackers to execute arbitrary commands within the context of the system through command injection. This could lead to system compromise and unauthorized access to sensitive information (FortiGuard).

The vulnerability has been fixed in version 1.3.6 of 1Panel. Users are strongly recommended to upgrade to this version or later to address the security issue (GitHub Release).