We noticed that Webmin security release notes (Security | Webmin ) mention a security fix related to the shell autocomplete feature was released in webmin 2.111 .
However, we couldn’t find any specific details on the exact nature of this vulnerability or the commit that resolved it. Could anyone provide more information on:
The exact nature of this shell autocomplete vulnerability—was it related to privilege escalation, unauthorized access, or another issue?
The specific commit or code area that addressed this vulnerability?
If any CVE was assigned to this issue, or if there’s further documentation available on the scope of the fix?
Is it possible for us to patch this issue in earlier version of webmin rather than upgarding to later version entirely?
We are trying to understand if this issue impacts any custom shell or command configurations and to confirm the security of our installation. Any insights would be greatly appreciated!
Thank you for your previous response. We have an additional question regarding our configuration:
We do not include the shell module in our webmin build, which we understand to be the source of this vulnerability.
Additionally, we do not include the Authentic Theme module as well, which apparently contains the fix for this issue. We use older custom theme.
Given these exclusions, could you confirm whether our configuration is still vulnerable, or if there are other aspects of Webmin that may be impacted by this issue?
Your guidance would be very helpful as we assess our current security needs.
Hi Ilia , Thank you for the quick and detailed response
Due to project-specific customizations in our Webmin implementation, upgrading to a new version is a significant undertaking, requiring a detailed certification process.
Last year we upgraded and certified version 2.013 and we may consider a further upgrade to the latest version next year.
For now, we’re focused on addressing individual security concerns as they arise, without a full version upgrade.