Ateamjkr

**Name of the Vulnerable Software and Affected Versions** SFTPGo versions prior to v2.6.5 **Description** SFTPGo is an open source, event-driven file transfer solution that supports execution of a defined set of commands via SSH, including the optional `rsync` command. Due to missing sanitization of the client provided `rsync` command, an authenticated remote user can use some options of the `rsync` command to read or write files with the permissions of the SFTPGo server process. **Recommendations** For versions prior to v2.6.5, upgrade to version v2.6.5 or later to fix the issue by checking the client provided arguments. As a temporary workaround, consider disabling the `rsync` command until a patch is available. Restrict access to the `rsync` command to minimize the risk of exploitation. Avoid using the `rsync` command with untrusted input until the issue is resolved.