Situation
It was found that a low-privilege team user (role=default) can escalate to the owner account's full capabilities through the use of certain UAPI modules. This affects cPanel & WHM versions 110 and higher.
Impact
We have pushed out a patch in the following cPanel & WHM versions:
- 11.110.0.118 (cl6110)
- 11.110.0.119 and higher
- 11.118.0.67 and higher
- 11.124.0.38 and higher
- 11.126.0.59 and higher
- 11.130.0.23 and higher
- 11.132.0.32 and higher
- 11.134.0.26 and higher
- 11.136.0.10 and higher
We have pushed out a patch in the following WP Squared version:
- 11.136.1.12 and higher
For customers still on CentOS 6 or CloudLinux 6, we recommend running the following command to set the upgrade tier, and then following the steps in the "Required Actions" below.
# sed -i "s/CPANEL=.*/CPANEL=cl6110/g" /etc/cpupdate.conf
Note: All further versions of cPanel are patched for this issue as well. Please see the latest changelogs for version information of each cPanel branch:
https://docs.cpanel.net/changelogs/
Call to Action
-
Update the cPanel version on the server to one of the versions listed above. This can be done with the following:
# /scripts/upcp --force
-
Once completed, verify the cPanel version with the following to ensure the update was successful.
# /usr/local/cpanel/cpanel -V
Additional Information
Additional security incidents are resolved in this latest release as well. Please see the following for more information:
Comments
0 comments
Article is closed for comments.