Vulnerability

Affected software: CloudLinux CageFS versions below 6.1.9-2

CloudLinux keeps CageFS excludes in /etc/cagefs/exclude/systemuserlist file, which is generated during CageFS installation. By default it contains user names which might not be in a system, like varnish. If user orders DirectAdmin account named varnish or user is a reseller and creates user varnish, then that user will be outside CageFS.

Solution

Update CageFS to version 6.1.9-2 or later.

Timeline