OliveTin is susceptible to unauthenticated remote code execution, allowing attackers to take full control of the host system via malicious webhooks or shell command manipulation.

Vector 1 involves a failure in checkShellArgumentSafety to block the password argument type, allowing authenticated RCE. Vector 2 allows unauthenticated RCE by bypassing type safety checks for JSON values extracted from webhooks before they reach sh -c.

This vulnerability allows for total system takeover. Since OliveTin is often used to manage server operations, an attacker could execute any command the OliveTin process is authorized to run. The CVSS score of 9.9 is justified by the ease of unauthenticated exploitation via the webhook vector.

Immediate Action: As no patch is currently available, administrators should immediately disable the webhook feature or restrict access to the OliveTin web interface via firewall/VPN.

Proactive Monitoring: Review system logs for unauthorized shell command execution and monitor for suspicious incoming webhook requests from unknown sources.

Compensating Controls: Implement strict network-level access controls and consider using a proxy to sanitize incoming webhook payloads before they reach OliveTin.

Public Exploit Available: No

The lack of a current patch necessitates extreme caution. We recommend taking OliveTin instances offline or isolating them entirely from external networks until a security update is released. Prioritize securing the webhook ingest points as they represent the most dangerous unauthenticated entry path.