CVE-2023-42657: 
WS_FTP Server vulnerability analysis and mitigation

A directory traversal vulnerability (CVE-2023-42657) was discovered in WS_FTP Server versions prior to 8.7.4 and 8.8.2. The vulnerability was disclosed on September 27, 2023, affecting Progress Software's WS_FTP Server product, a secure file transfer solution (Progress Advisory).

The vulnerability allows authenticated attackers to perform unauthorized file operations (delete, rename, rmdir, mkdir) on files and folders outside of their authorized WS_FTP folder path. Additionally, attackers could escape the context of the WS_FTP Server file structure and perform the same operations on file and folder locations on the underlying operating system. The vulnerability has been assigned a critical CVSS v3.1 score of 9.9 by Progress Software Corporation, while NIST assigned a score of 9.6 (NVD).

Successful exploitation of this vulnerability could allow attackers to manipulate files and folders beyond their authorized access boundaries, potentially leading to unauthorized access to sensitive data, system files, and folders on the underlying operating system (Arctic Wolf).

Progress Software has released fixed versions: WS_FTP Server 2020 version 8.7.4 and WS_FTP Server 2022 version 8.8.2. Organizations are strongly encouraged to upgrade to these patched versions as soon as possible to mitigate the risk of exploitation (Progress Advisory).