SFTPGo DC-2023-40477 (Critical)

2024-11-22

:

SFTPGo, a popular SFTP server, has a critical vulnerability that allows unauthorized users with access to the SFTPGo WebAdmin UI to execute arbitrary commands on the underlying system. This is due to the unrestricted nature of the EventManager feature, which can be exploited to run scripts with the same permissions as the SFTPGo user.

Vulnerability Details:

Platform: SFTPGo
Version: All versions
Vulnerability: Arbitrary Command Execution
Severity: Critical
Date: 2023-10-24

What Undercode Says:

This is a serious vulnerability that could allow attackers to take control of the underlying system. It is recommended that all SFTPGo users upgrade to the latest version, which includes a patch that disables system commands by default and requires explicit configuration of allowed commands.

In the meantime, as a workaround, it is recommended to restrict access to the EventManager feature to only those administrators who also have shell access.

This vulnerability highlights the importance of careful configuration and access control for SFTP servers. It is crucial to regularly update software and to be aware of potential security risks.

References:

Reported By: Github.com
Undercode AI: https://ai.undercodetesting.com

Image Source:

OpenAI: https://openai.com
Undercode AI DI v2: https://ai.undercode.helpFeatured Image

Scroll to Top