{ "affected": [ { "ranges": [ { "database_specific": { "versions": [ { "introduced": "0" }, { "fixed": "0.4.4" } ] }, "events": [ { "introduced": "0" }, { "fixed": "9d6381d7ac91d51839814a9b350f8782c3042bc3" } ], "repo": "https://github.com/icewhaletech/casaos", "type": "GIT" } ] } ], "database_specific": { "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-77" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/37xxx/CVE-2023-37469.json" }, "details": "CasaOS is an open-source personal cloud system. Prior to version 0.4.4, if an authenticated user using CasaOS is able to successfully connect to a controlled SMB server, they are able to execute arbitrary commands. Version 0.4.4 contains a patch for the issue.", "id": "CVE-2023-37469", "modified": "2026-04-01T23:10:24.674945361Z", "published": "2023-08-24T22:12:10.234Z", "references": [ { "type": "WEB", "url": "https://github.com/IceWhaleTech/CasaOS/blob/96e92842357230098c771bc41fd3baf46189b859/route/v1/samba.go#L121" }, { "type": "WEB", "url": "https://github.com/IceWhaleTech/CasaOS/blob/96e92842357230098c771bc41fd3baf46189b859/service/connections.go#L58" }, { "type": "WEB", "url": "https://github.com/IceWhaleTech/CasaOS/releases/tag/v0.4.4" }, { "type": "ADVISORY", "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/37xxx/CVE-2023-37469.json" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37469" }, { "type": "ADVISORY", "url": "https://securitylab.github.com/advisories/GHSL-2022-119_CasaOS/" }, { "type": "FIX", "url": "https://github.com/IceWhaleTech/CasaOS/commit/af440eac5563644854ff33f72041e52d3fd1f47c" } ], "schema_version": "1.7.3", "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "type": "CVSS_V3" } ], "summary": "CasaOS Command Injection vulnerability" }