CVE-2023-36458: 
vulnerability analysis and mitigation

1Panel, an open source Linux server operation and maintenance management panel, was found to contain a command injection vulnerability (CVE-2023-36458) prior to version 1.3.6. The vulnerability was discovered and disclosed in June 2023, affecting all versions up to and including v1.3.5. This security issue impacts authenticated users who have access to the container terminal functionality (GitHub Advisory, NVD).

The vulnerability exists in the container terminal functionality where an authenticated attacker can craft malicious payloads to achieve command injection. The issue specifically occurs in the backend/app/api/v1/terminal.go#ContainerWsSsh component. The vulnerability has been assigned a CVSS v3.1 base score of 6.3 (Medium) by GitHub, while NVD rates it at 8.8 (High) with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (GitHub Advisory).

When successfully exploited, this vulnerability allows an authenticated attacker to execute arbitrary commands within the container terminal environment. This could potentially lead to unauthorized system access, data manipulation, and system compromise within the container context (GitHub Advisory).

The vulnerability has been patched in version 1.3.6 of 1Panel. Users are strongly recommended to upgrade to this version or later to address the security issue. No alternative workarounds have been provided (GitHub Release, GitHub Advisory).