Executive Summary

This vulnerability exists in Dokploy versions 0.28.8 and earlier, specifically in the updateTraefikConfig tRPC endpoint. It allows authenticated users with admin or owner privileges to perform OS command injection by exploiting unsanitized input in the traefikConfig parameter. The input is interpolated directly into a shell command executed via SSH, enabling these privileged users to execute arbitrary system commands on remote servers.

An attacker can inject a single quote into the traefikConfig value to break out of the intended shell quoting context and insert malicious commands. Exploitation requires an admin or owner account and a deployed application with an SSH key configured.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to remote code execution on managed servers with the privileges of the SSH user. Since it allows arbitrary system commands to be run, an attacker with admin or owner access can potentially compromise the entire server environment, leading to data breaches, service disruption, or further escalation of privileges.

The vulnerability is classified as high severity with a CVSS score of 9.0, indicating significant impact on confidentiality, integrity, and availability.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves identifying unauthorized or suspicious command execution attempts via the updateTraefikConfig tRPC endpoint in Dokploy versions ≤ 0.28.8.

Since exploitation requires an admin or owner account and involves injecting shell commands through the traefikConfig parameter, monitoring logs for unusual commands or shell injection patterns is recommended.

• Check application logs for calls to the updateTraefikConfig endpoint with suspicious payloads containing single quotes or shell metacharacters.
• Use network monitoring tools to detect unusual SSH command executions originating from the Dokploy server.
• Example command to search logs for suspicious input patterns: grep -E "updateTraefikConfig.*['\";|&]" /path/to/dokploy/logs/*
• Monitor SSH command execution logs on managed servers for unexpected commands executed by the SSH user configured in Dokploy.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting access and monitoring usage of the updateTraefikConfig endpoint.

• Limit admin or owner privileges to trusted users only, as exploitation requires such accounts.
• Disable or restrict the use of the updateTraefikConfig endpoint until a patch or fix is available.
• Monitor and audit SSH keys configured for deployments to ensure they are secure and not compromised.
• Implement network-level controls to restrict SSH access from the Dokploy server to managed servers.
• Stay updated with Dokploy security advisories for any forthcoming patches addressing this vulnerability.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows authenticated admin or owner users to execute arbitrary system commands on remote servers, potentially leading to unauthorized access, data breaches, or manipulation of sensitive information.

Such unauthorized access and potential data compromise could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and breaches.

However, the provided information does not explicitly discuss compliance implications or specific regulatory impacts.

Useful 0 Not Useful 0