RULE(RULE ID:338249)

Rule General Information
Release Date: 2024-07-10
Rule Name: Rejetto HFS Remote Command Execution Vulnerability (CVE-2024-39943)
Severity:
CVE ID:
Rule Protection Details
Description: rejetto HFS (aka HTTP File Server) 3 before 0.52.10 on Linux, UNIX, and macOS allows OS command execution by remote authenticated users (if they have Upload permissions). This occurs because a shell is used to execute df (i.e., with execSync instead of spawnSync in child_process in Node.js).
Impact: An attacker can execute arbitrary command via a successful exploit in the context of the vulnerable software.
Affected OS: Windows, Linux, Others
Reference: https://github.com/rejetto/hfs/commit/305381bd36eee074fb238b64302a252668daad1d
https://github.com/rejetto/hfs/compare/v0.52.9...v0.52.10
https://www.rejetto.com/wiki/index.php/HFS:_Working_with_uploads
Solutions
Refer to the announcement or patch by the vendor: https://github.com/rejetto/hfs/releases/tag/v0.52.10