acme.sh runs arbitrary commands from a remote server

Thread starter jbo@
Start date Jun 16, 2023
Tags

acme.sh security

jbo@

Developer

Jun 16, 2023

Anybody using security/acme.sh might want to upgrade: security/acme.sh runs arbitrary commands from a remote server!
If you're using HiCA, you surely want to revoke & renew your certs (with a more trustworthy CA).

Instead, HiCA is stealthily crafting curl commands and piping the output to bash. acme.sh is (being tricked into?) running arbitrary code from a remote server.

See this GitHub issue: https://github.com/acmesh-official/acme.sh/issues/4659

Last edited: Sep 11, 2023

You must log in or register to reply here.

LinkedIn Reddit Pinterest Tumblr WhatsApp Email Link

This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.

Accept Learn more…

Back

Top