CVE-2024-39943

rejetto HFS (aka HTTP File Server) 3 before 0.52.10 on Linux, UNIX, and macOS allows OS command execution by remote authenticated users (if they have Upload permissions). This occurs because a shell is used to execute df (i.e., with execSync instead of spawnSync in child_process in Node.js).

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/rejetto/hfs/commit/305381bd36eee074fb238b64302a252668daad1d	Patch
https://github.com/rejetto/hfs/compare/v0.52.9...v0.52.10	Patch
https://www.rejetto.com/wiki/index.php/HFS:_Working_with_uploads	Product

Configurations

Configuration 1 (hide)

cpe:2.3:a:rejetto:http_file_server:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2024-07-04 23:15

Updated : 2024-07-08 16:42

NVD link : CVE-2024-39943

Mitre link : CVE-2024-39943

CVE.ORG link : CVE-2024-39943

JSON object : View

Products Affected

rejetto

http_file_server

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-284

Improper Access Control

{"id": "CVE-2024-39943", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "cve@mitre.org", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.9, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 3.1}]}, "published": "2024-07-04T23:15:09.940", "references": [{"url": "https://github.com/rejetto/hfs/commit/305381bd36eee074fb238b64302a252668daad1d", "tags": ["Patch"], "source": "cve@mitre.org"}, {"url": "https://github.com/rejetto/hfs/compare/v0.52.9...v0.52.10", "tags": ["Patch"], "source": "cve@mitre.org"}, {"url": "https://www.rejetto.com/wiki/index.php/HFS:_Working_with_uploads", "tags": ["Product"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-78"}]}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-284"}]}], "descriptions": [{"lang": "en", "value": "rejetto HFS (aka HTTP File Server) 3 before 0.52.10 on Linux, UNIX, and macOS allows OS command execution by remote authenticated users (if they have Upload permissions). This occurs because a shell is used to execute df (i.e., with execSync instead of spawnSync in child_process in Node.js)."}, {"lang": "es", "value": "rejetto HFS (tambi\u00e9n conocido como servidor de archivos HTTP) 3 anterior a 0.52.10 en Linux, UNIX y macOS permite la ejecuci\u00f3n de comandos del sistema operativo por parte de usuarios remotos autenticados (si tienen permisos de carga). Esto ocurre porque se usa un shell para ejecutar df (es decir, con execSync en lugar de spawnSync en child_process en Node.js)."}], "lastModified": "2024-07-08T16:42:25.603", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:rejetto:http_file_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "349B809F-44A2-4734-B8E1-95E1A17CB734", "versionEndExcluding": "0.52.10"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}