Lucene search

ProgressSoftwareCVELIST:CVE-2024-7744

HistoryAug 28, 2024 - 4:30 p.m.

CVE-2024-7744 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Progress WS_FTP Server

2024-08-2816:30:14

CWE-73

CWE-22

ProgressSoftware

www.cve.org

path traversal

file discovery

probe system files

authenticated

api call

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

EPSS

0.001

Percentile

19.8%

JSON

In WS_FTP Server versions before 8.8.8 (2022.0.8), an Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability in the Web Transfer Module allows File Discovery, Probe System Files, User-Controlled Filename, Path Traversal.

An authenticated file download flaw has been identified where a user can craft an API call that allows them to download a file from an arbitrary folder on the drive where that user host’s root folder is located (by default this is C:)

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "modules": [
      "Web Transfer Module"
    ],
    "platforms": [
      "Windows"
    ],
    "product": "WS_FTP Server",
    "vendor": "Progress Software Corporation",
    "versions": [
      {
        "lessThan": "8.8.8",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      }
    ]
  }
]

References

community.progress.com/s/article/WS-FTP-Server-Service-Pack-August-2024

www.progress.com/ftp-server

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

EPSS

0.001

Percentile

19.8%

JSON

Related for CVELIST:CVE-2024-7744