← volver
CVE-2024-39943

CVE-2024-39943

CVSS 9.9 CRITICALEPSS 48.5%CWE-284
rejetto HFS (aka HTTP File Server) 3 before 0.52.10 on Linux, UNIX, and macOS allows OS command execution by remote authenticated users (if they have Upload permissions). This occurs because a shell is used to execute df (i.e., with execSync instead of spawnSync in child_process in Node.js).
CVSS:3.1/AC:L/AV:N/A:H/C:H/I:H/PR:L/S:C/UI:N
Productos afectados
n/a · n/a
PoCs públicas encontradas2
githubgithub.com/Heyholiday067/CVE-2024-39943-Poc0githubgithub.com/JenmrR/Node.js-CVE-2024-399430
⚠ Recursos públicos, para evaluar la exposición de sistemas que controlas o estás autorizado a probar. Prueba solo con autorización.

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →
Referencias
https://github.com/rejetto/hfs/commit/305381bd36eee074fb238b64302a252668daad1dhttps://github.com/rejetto/hfs/compare/v0.52.9...v0.52.10https://www.rejetto.com/wiki/index.php/HFS:_Working_with_uploads