CVE-2024-23692: 
Rejetto HFS vulnerability analysis and mitigation

Rejetto HTTP File Server (HFS), up to and including version 2.3m, contains a critical template injection vulnerability identified as CVE-2024-23692. This vulnerability allows remote, unauthenticated attackers to execute arbitrary commands on affected systems by sending specially crafted HTTP requests. The vulnerability was discovered in August 2023 and publicly disclosed in May 2024 (Mohemiv Blog, VulnCheck Advisory).

The vulnerability is classified as a Server Side Template Injection (SSTI) with a CVSS score of 9.8 (Critical), indicating the highest severity level. The attack vector is network-accessible (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) or user interaction (UI:N). The scope is unchanged (S:U) with high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) (VulnCheck Advisory).

Successful exploitation of this vulnerability allows attackers to execute arbitrary code with the privileges of the HFS process on the target system. This can lead to complete system compromise, allowing attackers to access unauthorized data, modify system configurations, and potentially gain persistent access to the affected system (CISA Alert).

As Rejetto HFS 2.x is no longer supported, the primary recommendation is to upgrade to HFS version 3. Organizations should immediately discontinue the use of affected versions and migrate to the newer, supported version to protect against this vulnerability (Mohemiv Blog).