Cyber Resilience

CVE-2024-27102

Critical

Published: 13 March 2024

Published
13 March 2024
Modified
23 January 2025
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0076 73.8th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-27102 is a critical-severity Path Traversal (CWE-22) vulnerability in Pterodactyl Wings. Its CVSS base score is 9.9 (Critical).

Operationally, ranked in the top 26.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Wings is the server control plane for Pterodactyl Panel. This vulnerability impacts anyone running the affected versions of Wings. The vulnerability can potentially be used to access files and directories on the host system. The full scope of impact is…

more

exactly unknown, but reading files outside of a server's base directory (sandbox root) is possible. In order to use this exploit, an attacker must have an existing "server" allocated and controlled by Wings. Details on the exploitation of this vulnerability are embargoed until March 27th, 2024 at 18:00 UTC. In order to mitigate this vulnerability, a full rewrite of the entire server filesystem was necessary. Because of this, the size of the patch is massive, however effort was made to reduce the amount of breaking changes. Users are advised to update to version 1.11.9. There are no known workarounds for this vulnerability.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

pterodactyl
wings
≤ 1.11.9

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-362

Accurate timestamps from internal clocks enable detection of race conditions by providing reliable event ordering in audit logs.

addresses: CWE-362

Coordination of concurrent security activities reduces the probability that shared resources will be accessed simultaneously without proper synchronization.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References