CVE-2024-39943

high-risk
Published 2024-07-04

rejetto HFS (aka HTTP File Server) 3 before 0.52.10 on Linux, UNIX, and macOS allows OS command execution by remote authenticated users (if they have Upload permissions). This occurs because a shell is used to execute df (i.e., with execSync instead of spawnSync in child_process in Node.js).

Do I need to act?

!
78.3% chance of exploitation in next 30 days
EPSS score — higher than 22% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
+
Fix available
Upgrade to: 0fc82dc7736446e7f16a07071a5fe7f98631e7b6, 305381bd36eee074fb238b64302a252668daad1d
9
CVSS 9.9/10 Critical
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Rejetto

References (6)

Patch https://github.com/rejetto/hfs/commit/305381bd36eee074fb238b64302a252668daad1d
Patch https://github.com/rejetto/hfs/compare/v0.52.9...v0.52.10
Product https://www.rejetto.com/wiki/index.php/HFS:_Working_with_uploads
Patch https://github.com/rejetto/hfs/commit/305381bd36eee074fb238b64302a252668daad1d
Patch https://github.com/rejetto/hfs/compare/v0.52.9...v0.52.10
Product https://www.rejetto.com/wiki/index.php/HFS:_Working_with_uploads
58
/ 100
high-risk
Severity 33/34 · Critical
Exploitability 20/34 · Moderate
Exposure 5/34 · Minimal