CVE-2024-23692

critical

Description

Rejetto HTTP File Server, up to and including version 2.3m, is vulnerable to a template injection vulnerability. This vulnerability allows a remote, unauthenticated attacker to execute arbitrary commands on the affected system by sending a specially crafted HTTP request. As of the CVE assignment date, Rejetto HFS 2.3m is no longer supported.

References

https://vulncheck.com/advisories/rejetto-unauth-rce

https://www.infosecurity-magazine.com/news/russian-cyber-spies-hatvibe/

https://www.recordedfuture.com/research/russia-aligned-tag-110-targets-asia-and-europe

https://www.bleepingcomputer.com/news/security/hackers-attack-hfs-servers-to-drop-malware-and-monero-miners/

https://thehackernews.com/2024/07/ukrainian-institutions-targeted-using.html

https://mohemiv.com/all/rejetto-http-file-server-2-3m-unauthenticated-rce/

https://github.com/rapid7/metasploit-framework/pull/19240

Details

Source: Mitre, NVD

Published: 2024-05-31

Updated: 2025-01-27

Named Vulnerability: Rejetto HTTP File Server Improper Neutralization of Special Elements Used in a Template Engine VulnerabilityKnown Exploited Vulnerability (KEV)

Risk Information

CVSS v2

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Severity: Critical

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H