CVE-2024-39943

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-39943

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-39943.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-39943

Aliases

GHSA-5f4x-hwv2-w9w2

Published

2024-07-04T23:15:09Z

Modified

2025-05-19T03:30:21.540238Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

rejetto HFS (aka HTTP File Server) 3 before 0.52.10 on Linux, UNIX, and macOS allows OS command execution by remote authenticated users (if they have Upload permissions). This occurs because a shell is used to execute df (i.e., with execSync instead of spawnSync in child_process in Node.js).

References

Affected packages

Git / github.com/rejetto/hfs

Affected ranges

Type: GIT
Repo: https://github.com/rejetto/hfs
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

305381bd36eee074fb238b64302a252668daad1d

Fixed

305381bd36eee074fb238b64302a252668daad1d

Affected versions

v0.*

v0.10.0

v0.11.0

v0.12.0

v0.13.0

v0.14.0

v0.14.1

v0.14.2

v0.14.3

v0.14.4

v0.14.5

v0.15.0

v0.16.0

v0.17.0

v0.17.1

v0.17.2

v0.17.3

v0.18.0

v0.19.0

v0.20.0

v0.20.1

v0.21.0

v0.21.1

v0.22.0

v0.22.1

v0.22.2

v0.23.0

v0.23.1

v0.24.0

v0.24.1

v0.24.2

v0.24.3

v0.25.0

v0.26.0

v0.26.1

v0.26.2

v0.26.3

v0.26.4

v0.26.5

v0.26.6

v0.26.7

v0.26.8

v0.26.9

v0.27.0

v0.27.1

v0.27.2

v0.28.0

v0.29.0

v0.29.1

v0.3.0-alpha

v0.30.0

v0.30.1

v0.30.2

v0.31.0

v0.32.0

v0.33.0

v0.34.0

v0.34.1

v0.35.0

v0.36.0

v0.37.0

v0.38.0

v0.38.1

v0.38.2

v0.38.3

v0.39.0

v0.4.0-alpha

v0.4.1-alpha

v0.40.0

v0.40.1

v0.41.0

v0.42.0

v0.42.2

v0.42.3

v0.43.0

v0.44.0

v0.45.0

v0.46.0

v0.46.1

v0.47.0

v0.47.0-alpha2

v0.47.0-alpha3

v0.47.0-alpha4

v0.47.0-alpha5

v0.47.0-alpha6

v0.47.0-beta7

v0.47.1

v0.47.2

v0.47.3

v0.47.4

v0.48.0

v0.48.0-alpha1

v0.48.0-alpha2

v0.48.0-alpha3

v0.48.0-alpha4

v0.48.0-beta6

v0.48.1

v0.48.2

v0.48.3

v0.49.0

v0.49.0-alpha1

v0.49.0-alpha2

v0.49.0-alpha3

v0.49.0-alpha4

v0.49.0-alpha5

v0.49.0-beta6

v0.49.0-beta7

v0.49.0-beta8

v0.49.1

v0.49.2

v0.49.3

v0.49.4

v0.5.0-alpha

v0.50.0

v0.50.0-alpha1

v0.50.0-alpha2

v0.50.0-alpha3

v0.50.0-beta4

v0.50.0-beta5

v0.50.1

v0.50.2

v0.50.3

v0.50.4

v0.50.5

v0.50.6

v0.51.0

v0.51.0-alpha1

v0.51.0-alpha3

v0.51.0-beta10

v0.51.0-beta4

v0.51.0-beta5

v0.51.0-beta6

v0.51.0-beta7

v0.51.0-beta8

v0.51.0-beta9

v0.51.0-rc11

v0.51.1

v0.51.2

v0.51.3

v0.52.0

v0.52.0-alpha1

v0.52.0-alpha2

v0.52.0-alpha3

v0.52.0-beta4

v0.52.0-beta5

v0.52.0-beta6

v0.52.0-beta7

v0.52.0-beta8

v0.52.0-beta9

v0.52.1

v0.52.2

v0.52.3

v0.52.4

v0.52.5

v0.52.6

v0.52.7

v0.52.8

v0.52.9

v0.6.0-alpha

v0.6.1-alpha

v0.8.0

v0.8.1

v0.8.2

v0.9.0

v0.9.1