CVE-2024-23692

2024-05-3110:15:09

CWE-94

CWE-1336

VulnCheck

web.nvd.nist.gov

In Wild

cve-2024-23692

rejetto http file server

template injection

remote attacker

unauthenticated

arbitrary commands

http request

unsupported

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

Confidence

High

EPSS

0.956

Percentile

99.5%

JSON

Rejetto HTTP File Server, up to and including version 2.3m, is vulnerable to a template injection vulnerability. This vulnerability allows a remote, unauthenticated attacker to execute arbitrary commands on the affected system by sending a specially crafted HTTP request. As of the CVE assignment date, Rejetto HFS 2.3m is no longer supported.

Affected configurations

Nvd

Node

rejettohttp_file_serverRange≤2.3m

VendorProductVersionCPE
rejettohttp_file_server*cpe:2.3:a:rejetto:http_file_server:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
rejetto	http_file_server	*	cpe:2.3:a:rejetto:http_file_server::::::::

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "HTTP File Server",
    "vendor": "Rejetto",
    "versions": [
      {
        "lessThanOrEqual": "2.3m",
        "status": "affected",
        "version": "0",
        "versionType": "custom"
      }
    ]
  }
]