CVE-2025-34171 (CNNVD-202601-690)
中文标题:
CasaOS 安全漏洞
英文标题:
CasaOS <= 0.4.15 Unauthenticated File and Debug Data Exposure
漏洞描述
中文描述:
CasaOS是一个简单、易用、优雅的开源家庭云系统。 CasaOS 0.4.15及之前版本存在安全漏洞,该漏洞源于多个未经验证的端点暴露,可能导致敏感配置文件和系统调试信息泄露。
英文描述:
CasaOS versions up to and including 0.4.15 expose multiple unauthenticated endpoints that allow remote attackers to retrieve sensitive configuration files and system debug information. The /v1/users/image endpoint can be abused with a user-controlled path parameter to access files under /var/lib/casaos/1/, which reveals installed applications and configuration details. Additionally, /v1/sys/debug discloses host operating system, kernel, hardware, and storage information. The endpoints also return distinct error messages, enabling file existence enumeration of arbitrary paths on the underlying host filesystem. This information disclosure can be used for reconnaissance and to facilitate targeted follow-up attacks against services deployed on the host.
CWE类型:
标签:
受影响产品
| 厂商 | 产品 | 版本 | 版本范围 | 平台 | CPE |
|---|---|---|---|---|---|
| IceWhale Tech | CasaOS | - | ≤ 0.4.15 | - |
cpe:2.3:a:icewhale_tech:casaos:*:*:*:*:*:*:*:*
|
解决方案
中文解决方案:
英文解决方案:
临时解决方案:
CVSS评分详情
4.0 (cna)
MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
时间信息
利用信息
数据源详情
| 数据源 | 记录ID | 版本 | 提取时间 |
|---|---|---|---|
| CVE | cve_CVE-2025-34171 |
2026-01-07 02:47:01 | 2026-01-12 02:11:31 |
| NVD | nvd_CVE-2025-34171 |
2026-01-09 03:00:05 | 2026-01-12 02:27:39 |
| CNNVD | cnnvd_CNNVD-202601-690 |
2026-01-11 06:15:03 | 2026-01-12 02:38:15 |
版本与语言
安全公告
变更历史
查看详细变更
- vulnerability_type: 未提取 -> 其他
- cnnvd_id: 未提取 -> CNNVD-202601-690
- data_sources: ['cve', 'nvd'] -> ['cnnvd', 'cve', 'nvd']
查看详细变更
- data_sources: ['cve'] -> ['cve', 'nvd']