External Control of File Name or Path in CrushFTP

#VU88869 External Control of File Name or Path in CrushFTP

Published: 2024-04-26 | Updated: 2024-05-07

Vulnerability identifier: #VU88869

Vulnerability risk: High

CVSSv3.1: 6.2 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C]

CVE-ID: CVE-2024-4040

CWE-ID: CWE-73

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
CrushFTP
Server applications / File servers (FTP/HTTP)

Vendor:

Description

The vulnerability allows a remote user to delete arbitrary files.

The vulnerability exists due to application allows to access files outside of the virtual file system. A remote authenticated user can read arbitrary system files.

Note, the vulnerability is being exploited in the wild.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

External links
http://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update
http://old.reddit.com/r/crowdstrike/comments/1c88788/situational_awareness_20240419_crushftp_virtual/
http://crushftp.com/version11_build.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.

Latest bulletins with this vulnerability

Arbitrary file download in CrushFTP