We found what we are calling Vulnerabilidad de Las Plagas, a Server-Side Request Forgery vulnerability that affects all versions of VaultWiki since 4.0.1, except VaultWiki Lite.
This is a serious vulnerability that could allow attackers to bypass your server's firewall, and depending on your server's configuration, perform any number of malicious tasks, including but not limited to:
- Making changes to background services
- Remote code execution
- Enrolling your server in a botnet
We have published the following Patch Level releases to resolve this issue:
- 4.0.13 Patch Level 1
- 4.0.12 Patch Level 2
- 4.0.11 Patch Level 2
- 4.0.10 Patch Level 3
- 4.0.9 Patch Level 3
- 4.0.8 Patch Level 5
- 4.0.7 Patch Level 6
- 4.0.6 Patch Level 9
We strongly recommend that all users running VaultWiki 4.0.1 or higher in a production environment update to a patched release as soon as possible.