U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
  1. Vulnerabilities

CVE-2024-41111 Detail

Description

Sliver is an open source cross-platform adversary emulation/red team framework, it can be used by organizations of all sizes to perform security testing. Sliver version 1.6.0 (prerelease) is vulnerable to RCE on the teamserver by a low-privileged "operator" user. The RCE is as the system root user. The exploit is pretty fun as we make the Sliver server pwn itself. As described in a past issue (#65), "there is a clear security boundary between the operator and server, an operator should not inherently be able to run commands or code on the server." An operator who exploited this vulnerability would be able to view all console logs, kick all other operators, view and modify files stored on the server, and ultimately delete the server. This issue has not yet be addressed but is expected to be resolved before the full release of version 1.6.0. Users of the 1.6.0 prerelease should avoid using Silver in production.


Metrics

NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.
CVSS 4.0 Severity and Vector Strings:

NIST CVSS score
NIST: NVD
N/A
NVD assessment not yet provided.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

Hyperlink Resource
https://github.com/BishopFox/sliver/commit/5016fb8d7cdff38c79e22e8293e58300f8d3bd57
https://github.com/BishopFox/sliver/commit/5016fb8d7cdff38c79e22e8293e58300f8d3bd57
https://github.com/BishopFox/sliver/issues/65
https://github.com/BishopFox/sliver/issues/65
https://github.com/BishopFox/sliver/pull/1281
https://github.com/BishopFox/sliver/pull/1281
https://github.com/BishopFox/sliver/security/advisories/GHSA-hc5w-gxxr-w8x8
https://github.com/BishopFox/sliver/security/advisories/GHSA-hc5w-gxxr-w8x8
https://sliver.sh/docs?name=Multi-player+Mode
https://sliver.sh/docs?name=Multi-player+Mode

Weakness Enumeration

CWE-ID CWE Name Source
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') GitHub, Inc.  

Change History

2 change records found show changes

Quick Info

CVE Dictionary Entry:
CVE-2024-41111
NVD Published Date:
07/18/2024
NVD Last Modified:
11/21/2024
Source:
GitHub, Inc.