{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-52309", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-11-06T19:00:26.397Z", "datePublished": "2024-11-21T17:11:06.556Z", "dateUpdated": "2024-11-21T20:40:32.988Z"}, "containers": {"cna": {"title": "SFTPGo allows administrators to restrict command execution from the EventManager", "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "lang": "en", "description": "CWE-20: Improper Input Validation", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "baseScore": 5.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/drakkan/sftpgo/security/advisories/GHSA-49cc-xrjf-9qf7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/drakkan/sftpgo/security/advisories/GHSA-49cc-xrjf-9qf7"}, {"name": "https://github.com/drakkan/sftpgo/commit/88b1850b5806eee81150873d4e565144b21021fb", "tags": ["x_refsource_MISC"], "url": "https://github.com/drakkan/sftpgo/commit/88b1850b5806eee81150873d4e565144b21021fb"}, {"name": "https://github.com/drakkan/sftpgo/commit/b524da11e9466d05fe03304713ee1c61bb276ec4", "tags": ["x_refsource_MISC"], "url": "https://github.com/drakkan/sftpgo/commit/b524da11e9466d05fe03304713ee1c61bb276ec4"}], "affected": [{"vendor": "drakkan", "product": "sftpgo", "versions": [{"version": ">= 2.4.0, < 2.6.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-11-21T17:11:06.556Z"}, "descriptions": [{"lang": "en", "value": "SFTPGo is a full-featured and highly configurable SFTP, HTTP/S, FTP/S and WebDAV server - S3, Google Cloud Storage, Azure Blob. One powerful feature of SFTPGo is the ability to have the EventManager execute scripts or run applications in response to certain events. This feature is very common in all software similar to SFTPGo and is generally unrestricted. However, any SFTPGo administrator with permission to run a script has access to the underlying OS/container with the same permissions as the user running SFTPGo. This is unexpected for some SFTPGo administrators who think that there is a clear distinction between accessing the system shell and accessing the SFTPGo WebAdmin UI. To avoid this confusion, running system commands is disabled by default in 2.6.3, and an allow list has been added so that system administrators configuring SFTPGo must explicitly define which commands are allowed to be configured from the WebAdmin UI."}], "source": {"advisory": "GHSA-49cc-xrjf-9qf7", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-11-21T20:40:11.076587Z", "id": "CVE-2024-52309", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-21T20:40:32.988Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-52309", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-11-21T20:40:11.076587Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-21T20:40:27.270Z"}}], "cna": {"title": "SFTPGo allows administrators to restrict command execution from the EventManager", "source": {"advisory": "GHSA-49cc-xrjf-9qf7", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "drakkan", "product": "sftpgo", "versions": [{"status": "affected", "version": ">= 2.4.0, < 2.6.3"}]}], "references": [{"url": "https://github.com/drakkan/sftpgo/security/advisories/GHSA-49cc-xrjf-9qf7", "name": "https://github.com/drakkan/sftpgo/security/advisories/GHSA-49cc-xrjf-9qf7", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/drakkan/sftpgo/commit/88b1850b5806eee81150873d4e565144b21021fb", "name": "https://github.com/drakkan/sftpgo/commit/88b1850b5806eee81150873d4e565144b21021fb", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/drakkan/sftpgo/commit/b524da11e9466d05fe03304713ee1c61bb276ec4", "name": "https://github.com/drakkan/sftpgo/commit/b524da11e9466d05fe03304713ee1c61bb276ec4", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "SFTPGo is a full-featured and highly configurable SFTP, HTTP/S, FTP/S and WebDAV server - S3, Google Cloud Storage, Azure Blob. One powerful feature of SFTPGo is the ability to have the EventManager execute scripts or run applications in response to certain events. This feature is very common in all software similar to SFTPGo and is generally unrestricted. However, any SFTPGo administrator with permission to run a script has access to the underlying OS/container with the same permissions as the user running SFTPGo. This is unexpected for some SFTPGo administrators who think that there is a clear distinction between accessing the system shell and accessing the SFTPGo WebAdmin UI. To avoid this confusion, running system commands is disabled by default in 2.6.3, and an allow list has been added so that system administrators configuring SFTPGo must explicitly define which commands are allowed to be configured from the WebAdmin UI."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20: Improper Input Validation"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-11-21T17:11:06.556Z"}}}, "cveMetadata": {"cveId": "CVE-2024-52309", "state": "PUBLISHED", "dateUpdated": "2024-11-21T20:40:32.988Z", "dateReserved": "2024-11-06T19:00:26.397Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-11-21T17:11:06.556Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "SFTPGo is a full-featured and highly configurable SFTP, HTTP/S, FTP/S and WebDAV server - S3, Google Cloud Storage, Azure Blob. One powerful feature of SFTPGo is the ability to have the EventManager execute scripts or run applications in response to certain events. This feature is very common in all software similar to SFTPGo and is generally unrestricted. However, any SFTPGo administrator with permission to run a script has access to the underlying OS/container with the same permissions as the user running SFTPGo. This is unexpected for some SFTPGo administrators who think that there is a clear distinction between accessing the system shell and accessing the SFTPGo WebAdmin UI. To avoid this confusion, running system commands is disabled by default in 2.6.3, and an allow list has been added so that system administrators configuring SFTPGo must explicitly define which commands are allowed to be configured from the WebAdmin UI."}, {"lang": "es", "value": "SFTPGo es un servidor SFTP, HTTP/S, FTP/S y WebDAV con todas las funciones y altamente configurable: S3, Google Cloud Storage, Azure Blob. Una caracter\u00edstica poderosa de SFTPGo es la capacidad de hacer que EventManager ejecute scripts o ejecute aplicaciones en respuesta a ciertos eventos. Esta caracter\u00edstica es muy com\u00fan en todo el software similar a SFTPGo y generalmente no tiene restricciones. Sin embargo, cualquier administrador de SFTPGo con permiso para ejecutar un script tiene acceso al sistema operativo/contenedor subyacente con los mismos permisos que el usuario que ejecuta SFTPGo. Esto es inesperado para algunos administradores de SFTPGo que piensan que existe una distinci\u00f3n clara entre acceder al shell del sistema y acceder a la interfaz de usuario de WebAdmin de SFTPGo. Para evitar esta confusi\u00f3n, la ejecuci\u00f3n de comandos del sistema est\u00e1 deshabilitada de forma predeterminada en 2.6.3 y se agreg\u00f3 una lista de permitidos para que los administradores del sistema que configuren SFTPGo deban definir expl\u00edcitamente qu\u00e9 comandos se pueden configurar desde la interfaz de usuario de WebAdmin."}], "id": "CVE-2024-52309", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-11-21T18:15:12.800", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/drakkan/sftpgo/commit/88b1850b5806eee81150873d4e565144b21021fb"}, {"source": "security-advisories@github.com", "url": "https://github.com/drakkan/sftpgo/commit/b524da11e9466d05fe03304713ee1c61bb276ec4"}, {"source": "security-advisories@github.com", "url": "https://github.com/drakkan/sftpgo/security/advisories/GHSA-49cc-xrjf-9qf7"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{}