CVE-2024-52309

Name of the Vulnerable Software and Affected Versions SFTPGo versions prior to 2.6.3

Description SFTPGo has a feature that allows the EventManager to execute scripts or run applications in response to certain events. However, any SFTPGo administrator with permission to run a script has access to the underlying OS/container with the same permissions as the user running SFTPGo. This is unexpected for some SFTPGo administrators who think that there is a clear distinction between accessing the system shell and accessing the SFTPGo WebAdmin UI. The issue allows potential remote code execution.

Recommendations For versions prior to 2.6.3, consider upgrading to version 2.6.3 or later, where running system commands is disabled by default and an allow list has been added to define which commands are allowed to be configured from the WebAdmin UI. As a temporary workaround, restrict the EventManager to be used only by SFTPGo administrators who also have shell access.