CVE-2024-52309 (GCVE-0-2024-52309)

Vulnerability from cvelistv5 – Published: 2024-11-21 17:11 – Updated: 2024-11-21 20:40
VLAI?
Summary
SFTPGo is a full-featured and highly configurable SFTP, HTTP/S, FTP/S and WebDAV server - S3, Google Cloud Storage, Azure Blob. One powerful feature of SFTPGo is the ability to have the EventManager execute scripts or run applications in response to certain events. This feature is very common in all software similar to SFTPGo and is generally unrestricted. However, any SFTPGo administrator with permission to run a script has access to the underlying OS/container with the same permissions as the user running SFTPGo. This is unexpected for some SFTPGo administrators who think that there is a clear distinction between accessing the system shell and accessing the SFTPGo WebAdmin UI. To avoid this confusion, running system commands is disabled by default in 2.6.3, and an allow list has been added so that system administrators configuring SFTPGo must explicitly define which commands are allowed to be configured from the WebAdmin UI.
Severity ?
5.1 (Medium)
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
CWE
  • CWE-20 - Improper Input Validation
Assigner
References
Impacted products
Vendor Product Version
drakkan sftpgo Affected: >= 2.4.0, < 2.6.3
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-52309",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-11-21T20:40:11.076587Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-21T20:40:32.988Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "sftpgo",
          "vendor": "drakkan",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 2.4.0, \u003c 2.6.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "SFTPGo is a full-featured and highly configurable SFTP, HTTP/S, FTP/S and WebDAV server - S3, Google Cloud Storage, Azure Blob. One powerful feature of SFTPGo is the ability to have the EventManager execute scripts or run applications in response to certain events. This feature is very common in all software similar to SFTPGo and is generally unrestricted. However, any SFTPGo administrator with permission to run a script has access to the underlying OS/container with the same permissions as the user running SFTPGo. This is unexpected for some SFTPGo administrators who think that there is a clear distinction between accessing the system shell and accessing the SFTPGo WebAdmin UI. To avoid this confusion, running system commands is disabled by default in 2.6.3, and an allow list has been added so that system administrators configuring SFTPGo must explicitly define which commands are allowed to be configured from the WebAdmin UI."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 5.1,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "HIGH",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "LOW",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20: Improper Input Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-21T17:11:06.556Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/drakkan/sftpgo/security/advisories/GHSA-49cc-xrjf-9qf7",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/drakkan/sftpgo/security/advisories/GHSA-49cc-xrjf-9qf7"
        },
        {
          "name": "https://github.com/drakkan/sftpgo/commit/88b1850b5806eee81150873d4e565144b21021fb",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/drakkan/sftpgo/commit/88b1850b5806eee81150873d4e565144b21021fb"
        },
        {
          "name": "https://github.com/drakkan/sftpgo/commit/b524da11e9466d05fe03304713ee1c61bb276ec4",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/drakkan/sftpgo/commit/b524da11e9466d05fe03304713ee1c61bb276ec4"
        }
      ],
      "source": {
        "advisory": "GHSA-49cc-xrjf-9qf7",
        "discovery": "UNKNOWN"
      },
      "title": "SFTPGo allows administrators to restrict command execution from the EventManager"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-52309",
    "datePublished": "2024-11-21T17:11:06.556Z",
    "dateReserved": "2024-11-06T19:00:26.397Z",
    "dateUpdated": "2024-11-21T20:40:32.988Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "descriptions": "[{\"lang\": \"en\", \"value\": \"SFTPGo is a full-featured and highly configurable SFTP, HTTP/S, FTP/S and WebDAV server - S3, Google Cloud Storage, Azure Blob. One powerful feature of SFTPGo is the ability to have the EventManager execute scripts or run applications in response to certain events. This feature is very common in all software similar to SFTPGo and is generally unrestricted. However, any SFTPGo administrator with permission to run a script has access to the underlying OS/container with the same permissions as the user running SFTPGo. This is unexpected for some SFTPGo administrators who think that there is a clear distinction between accessing the system shell and accessing the SFTPGo WebAdmin UI. To avoid this confusion, running system commands is disabled by default in 2.6.3, and an allow list has been added so that system administrators configuring SFTPGo must explicitly define which commands are allowed to be configured from the WebAdmin UI.\"}, {\"lang\": \"es\", \"value\": \"SFTPGo es un servidor SFTP, HTTP/S, FTP/S y WebDAV con todas las funciones y altamente configurable: S3, Google Cloud Storage, Azure Blob. Una caracter\\u00edstica poderosa de SFTPGo es la capacidad de hacer que EventManager ejecute scripts o ejecute aplicaciones en respuesta a ciertos eventos. Esta caracter\\u00edstica es muy com\\u00fan en todo el software similar a SFTPGo y generalmente no tiene restricciones. Sin embargo, cualquier administrador de SFTPGo con permiso para ejecutar un script tiene acceso al sistema operativo/contenedor subyacente con los mismos permisos que el usuario que ejecuta SFTPGo. Esto es inesperado para algunos administradores de SFTPGo que piensan que existe una distinci\\u00f3n clara entre acceder al shell del sistema y acceder a la interfaz de usuario de WebAdmin de SFTPGo. Para evitar esta confusi\\u00f3n, la ejecuci\\u00f3n de comandos del sistema est\\u00e1 deshabilitada de forma predeterminada en 2.6.3 y se agreg\\u00f3 una lista de permitidos para que los administradores del sistema que configuren SFTPGo deban definir expl\\u00edcitamente qu\\u00e9 comandos se pueden configurar desde la interfaz de usuario de WebAdmin.\"}]",
      "id": "CVE-2024-52309",
      "lastModified": "2024-11-21T18:15:12.800",
      "metrics": "{\"cvssMetricV40\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"4.0\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\", \"baseScore\": 5.1, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"HIGH\", \"userInteraction\": \"NONE\", \"vulnerableSystemConfidentiality\": \"NONE\", \"vulnerableSystemIntegrity\": \"NONE\", \"vulnerableSystemAvailability\": \"NONE\", \"subsequentSystemConfidentiality\": \"LOW\", \"subsequentSystemIntegrity\": \"LOW\", \"subsequentSystemAvailability\": \"NONE\", \"exploitMaturity\": \"NOT_DEFINED\", \"confidentialityRequirements\": \"NOT_DEFINED\", \"integrityRequirements\": \"NOT_DEFINED\", \"availabilityRequirements\": \"NOT_DEFINED\", \"modifiedAttackVector\": \"NOT_DEFINED\", \"modifiedAttackComplexity\": \"NOT_DEFINED\", \"modifiedAttackRequirements\": \"NOT_DEFINED\", \"modifiedPrivilegesRequired\": \"NOT_DEFINED\", \"modifiedUserInteraction\": \"NOT_DEFINED\", \"modifiedVulnerableSystemConfidentiality\": \"NOT_DEFINED\", \"modifiedVulnerableSystemIntegrity\": \"NOT_DEFINED\", \"modifiedVulnerableSystemAvailability\": \"NOT_DEFINED\", \"modifiedSubsequentSystemConfidentiality\": \"NOT_DEFINED\", \"modifiedSubsequentSystemIntegrity\": \"NOT_DEFINED\", \"modifiedSubsequentSystemAvailability\": \"NOT_DEFINED\", \"safety\": \"NOT_DEFINED\", \"automatable\": \"NOT_DEFINED\", \"recovery\": \"NOT_DEFINED\", \"valueDensity\": \"NOT_DEFINED\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\", \"providerUrgency\": \"NOT_DEFINED\"}}]}",
      "published": "2024-11-21T18:15:12.800",
      "references": "[{\"url\": \"https://github.com/drakkan/sftpgo/commit/88b1850b5806eee81150873d4e565144b21021fb\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/drakkan/sftpgo/commit/b524da11e9466d05fe03304713ee1c61bb276ec4\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/drakkan/sftpgo/security/advisories/GHSA-49cc-xrjf-9qf7\", \"source\": \"security-advisories@github.com\"}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Awaiting Analysis",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-20\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-52309\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-11-21T18:15:12.800\",\"lastModified\":\"2024-11-21T18:15:12.800\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"SFTPGo is a full-featured and highly configurable SFTP, HTTP/S, FTP/S and WebDAV server - S3, Google Cloud Storage, Azure Blob. One powerful feature of SFTPGo is the ability to have the EventManager execute scripts or run applications in response to certain events. This feature is very common in all software similar to SFTPGo and is generally unrestricted. However, any SFTPGo administrator with permission to run a script has access to the underlying OS/container with the same permissions as the user running SFTPGo. This is unexpected for some SFTPGo administrators who think that there is a clear distinction between accessing the system shell and accessing the SFTPGo WebAdmin UI. To avoid this confusion, running system commands is disabled by default in 2.6.3, and an allow list has been added so that system administrators configuring SFTPGo must explicitly define which commands are allowed to be configured from the WebAdmin UI.\"},{\"lang\":\"es\",\"value\":\"SFTPGo es un servidor SFTP, HTTP/S, FTP/S y WebDAV con todas las funciones y altamente configurable: S3, Google Cloud Storage, Azure Blob. Una caracter\u00edstica poderosa de SFTPGo es la capacidad de hacer que EventManager ejecute scripts o ejecute aplicaciones en respuesta a ciertos eventos. Esta caracter\u00edstica es muy com\u00fan en todo el software similar a SFTPGo y generalmente no tiene restricciones. Sin embargo, cualquier administrador de SFTPGo con permiso para ejecutar un script tiene acceso al sistema operativo/contenedor subyacente con los mismos permisos que el usuario que ejecuta SFTPGo. Esto es inesperado para algunos administradores de SFTPGo que piensan que existe una distinci\u00f3n clara entre acceder al shell del sistema y acceder a la interfaz de usuario de WebAdmin de SFTPGo. Para evitar esta confusi\u00f3n, la ejecuci\u00f3n de comandos del sistema est\u00e1 deshabilitada de forma predeterminada en 2.6.3 y se agreg\u00f3 una lista de permitidos para que los administradores del sistema que configuren SFTPGo deban definir expl\u00edcitamente qu\u00e9 comandos se pueden configurar desde la interfaz de usuario de WebAdmin.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":5.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"LOW\",\"subIntegrityImpact\":\"LOW\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-20\"}]}],\"references\":[{\"url\":\"https://github.com/drakkan/sftpgo/commit/88b1850b5806eee81150873d4e565144b21021fb\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/drakkan/sftpgo/commit/b524da11e9466d05fe03304713ee1c61bb276ec4\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/drakkan/sftpgo/security/advisories/GHSA-49cc-xrjf-9qf7\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-52309\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-11-21T20:40:11.076587Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-11-21T20:40:27.270Z\"}}], \"cna\": {\"title\": \"SFTPGo allows administrators to restrict command execution from the EventManager\", \"source\": {\"advisory\": \"GHSA-49cc-xrjf-9qf7\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 5.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"HIGH\", \"subIntegrityImpact\": \"LOW\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"LOW\", \"vulnConfidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"drakkan\", \"product\": \"sftpgo\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 2.4.0, \u003c 2.6.3\"}]}], \"references\": [{\"url\": \"https://github.com/drakkan/sftpgo/security/advisories/GHSA-49cc-xrjf-9qf7\", \"name\": \"https://github.com/drakkan/sftpgo/security/advisories/GHSA-49cc-xrjf-9qf7\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/drakkan/sftpgo/commit/88b1850b5806eee81150873d4e565144b21021fb\", \"name\": \"https://github.com/drakkan/sftpgo/commit/88b1850b5806eee81150873d4e565144b21021fb\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/drakkan/sftpgo/commit/b524da11e9466d05fe03304713ee1c61bb276ec4\", \"name\": \"https://github.com/drakkan/sftpgo/commit/b524da11e9466d05fe03304713ee1c61bb276ec4\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"SFTPGo is a full-featured and highly configurable SFTP, HTTP/S, FTP/S and WebDAV server - S3, Google Cloud Storage, Azure Blob. One powerful feature of SFTPGo is the ability to have the EventManager execute scripts or run applications in response to certain events. This feature is very common in all software similar to SFTPGo and is generally unrestricted. However, any SFTPGo administrator with permission to run a script has access to the underlying OS/container with the same permissions as the user running SFTPGo. This is unexpected for some SFTPGo administrators who think that there is a clear distinction between accessing the system shell and accessing the SFTPGo WebAdmin UI. To avoid this confusion, running system commands is disabled by default in 2.6.3, and an allow list has been added so that system administrators configuring SFTPGo must explicitly define which commands are allowed to be configured from the WebAdmin UI.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-20\", \"description\": \"CWE-20: Improper Input Validation\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-11-21T17:11:06.556Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-52309\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-11-21T20:40:32.988Z\", \"dateReserved\": \"2024-11-06T19:00:26.397Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-11-21T17:11:06.556Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.