Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.361, the missing authorization allows any authenticated user to attach any existing private key on a coolify instance to his own server. If the server configuration of IP / domain, port (most likely 22) and user (root) matches with the victim's server configuration, then the attacker can use the `Terminal` feature and execute arbitrary commands on the victim's server. Version 4.0.0-beta.361 fixes the issue.
Coolify before version 4.0.0-beta.361 does not verify permissions when assigning private SSH keys to servers (CWE-862 — missing authorization). A logged-in attacker can assign another person's private key to their own server. If the attacker's server configuration (IP address/domain, port — usually 22 — and user, e.g., root) matches the victim's server configuration, the attacker can use the Terminal function in Coolify and execute arbitrary system commands on the victim's server.
The attacker can gain full control over the victim's server by executing arbitrary commands with the privileges of the configured user (e.g., root), resulting in complete loss of confidentiality, integrity, and availability of the system.
Coolify must be updated to version 4.0.0-beta.361 or newer, which removes the described vulnerability. The patch is available in the vendor's repository.
Coollabs Coolify in all versions before 4.0.0-beta.361
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HCoollabs Coolify
APPCoollabs4.0.0< 4.0.0
Related vulnerabilities
Stored XSS w Coolify — atak przez złośliwą nazwę projektu
Command injection w Coolify via docker-compose.yaml — RCE jako root
RCE w Coolify — command injection w konfiguracji Docker Compose
Command injection w polu Git Repository w Coolify
Coolify: nieuprawniony dostęp do prywatnego klucza SSH użytkownika root