CVE-2024-4040

A server side template injection vulnerability in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows unauthenticated remote attackers to read files from the filesystem outside of the VFS Sandbox, bypass authentication to gain administrative access, and perform remote code execution on the server.

CVSS v3 10.0 CRITICAL

10.0^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://github.com/airbus-cert/CVE-2024-4040	Exploit Third Party Advisory
https://www.bleepingcomputer.com/news/security/crushftp-warns-users-to-patch-exploited-zero-day-immediately/	Press/Media Coverage Third Party Advisory
https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update	Vendor Advisory
https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update	Patch Vendor Advisory
https://www.rapid7.com/blog/post/2024/04/23/etr-unauthenticated-crushftp-zero-day-enables-complete-server-compromise/	Third Party Advisory
https://www.reddit.com/r/crowdstrike/comments/1c88788/situational_awareness_20240419_crushftp_virtual/	Press/Media Coverage Third Party Advisory
https://www.reddit.com/r/cybersecurity/comments/1c850i2/all_versions_of_crush_ftp_are_vulnerable/	Patch Press/Media Coverage Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:crushftp:crushftp::::::::
	cpe:2.3:a:crushftp:crushftp::::::::

History

No history.

Information

Published : 2024-04-22 20:15

Updated : 2024-04-26 15:25

NVD link : CVE-2024-4040

Mitre link : CVE-2024-4040

CVE.ORG link : CVE-2024-4040

JSON object : View

Products Affected

crushftp

crushftp

CWE

CWE-94

Improper Control of Generation of Code ('Code Injection')

CWE-1336

Improper Neutralization of Special Elements Used in a Template Engine

{"id": "CVE-2024-4040", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 10.0, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "430a6cef-dc26-47e3-9fa8-52fb7f19644e", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2024-04-22T20:15:07.803", "references": [{"url": "https://github.com/airbus-cert/CVE-2024-4040", "tags": ["Exploit", "Third Party Advisory"], "source": "430a6cef-dc26-47e3-9fa8-52fb7f19644e"}, {"url": "https://www.bleepingcomputer.com/news/security/crushftp-warns-users-to-patch-exploited-zero-day-immediately/", "tags": ["Press/Media Coverage", "Third Party Advisory"], "source": "430a6cef-dc26-47e3-9fa8-52fb7f19644e"}, {"url": "https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update", "tags": ["Vendor Advisory"], "source": "430a6cef-dc26-47e3-9fa8-52fb7f19644e"}, {"url": "https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update", "tags": ["Patch", "Vendor Advisory"], "source": "430a6cef-dc26-47e3-9fa8-52fb7f19644e"}, {"url": "https://www.rapid7.com/blog/post/2024/04/23/etr-unauthenticated-crushftp-zero-day-enables-complete-server-compromise/", "tags": ["Third Party Advisory"], "source": "430a6cef-dc26-47e3-9fa8-52fb7f19644e"}, {"url": "https://www.reddit.com/r/crowdstrike/comments/1c88788/situational_awareness_20240419_crushftp_virtual/", "tags": ["Press/Media Coverage", "Third Party Advisory"], "source": "430a6cef-dc26-47e3-9fa8-52fb7f19644e"}, {"url": "https://www.reddit.com/r/cybersecurity/comments/1c850i2/all_versions_of_crush_ftp_are_vulnerable/", "tags": ["Patch", "Press/Media Coverage", "Third Party Advisory"], "source": "430a6cef-dc26-47e3-9fa8-52fb7f19644e"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-94"}]}, {"type": "Secondary", "source": "430a6cef-dc26-47e3-9fa8-52fb7f19644e", "description": [{"lang": "en", "value": "CWE-1336"}]}], "descriptions": [{"lang": "en", "value": "A server side template injection vulnerability in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows unauthenticated remote attackers to read files from the filesystem outside of the VFS Sandbox, bypass authentication to gain administrative access, and perform remote code execution on the server.\n"}, {"lang": "es", "value": "VFS Sandbox Escape en CrushFTP en todas las versiones anteriores a 10.7.1 y 11.1.0 en todas las plataformas permite a atacantes remotos con privilegios bajos leer archivos del sistema de archivos fuera de VFS Sandbox."}], "lastModified": "2024-04-26T15:25:47.270", "cisaActionDue": "2024-05-01", "cisaExploitAdd": "2024-04-24", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:crushftp:crushftp:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1922C854-D367-44B7-AEFB-4AEB07679E16", "versionEndExcluding": "10.7.1", "versionStartIncluding": "10.0.0"}, {"criteria": "cpe:2.3:a:crushftp:crushftp:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4EF482D8-4F40-454D-9A92-9D6924C582E2", "versionEndExcluding": "11.1.0", "versionStartIncluding": "11.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "430a6cef-dc26-47e3-9fa8-52fb7f19644e", "cisaRequiredAction": "Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.", "cisaVulnerabilityName": "CrushFTP VFS Sandbox Escape Vulnerability"}