CVE-2024-52309: 
Wolfi vulnerability analysis and mitigation

SFTPGo, a full-featured and highly configurable SFTP, HTTP/S, FTP/S and WebDAV server, contains a vulnerability in its EventManager feature. The issue was discovered in versions 2.4.0 through 2.6.3, where administrators with permission to run scripts through the EventManager could access the underlying OS/container with the same permissions as the user running SFTPGo. This access level was unexpected for some administrators who assumed a clear separation between system shell access and WebAdmin UI access (GitHub Advisory).

The vulnerability stems from the EventManager's ability to execute scripts and run applications in response to certain events. While this is a common feature in similar software, it was generally unrestricted, allowing administrators to execute any command with the same privileges as the SFTPGo service account. This could potentially lead to unauthorized access to database and server configurations. The issue has been assigned a CVSS v4.0 score of 5.1 MEDIUM with vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N (NVD).

The vulnerability allows SFTPGo administrators with script execution permissions to gain access to the underlying operating system or container with the same privileges as the SFTPGo service account. This access could potentially be used to view or modify sensitive data, including database contents and server configurations (GitHub Advisory).

The issue has been patched in version 2.6.3, which implements two key security improvements: 1) Command execution is disabled by default, and 2) An allow list has been added requiring system administrators to explicitly define which commands can be configured from the WebAdmin UI. For unpatched systems, the recommended workaround is to restrict EventManager usage to only those SFTPGo administrators who also have shell access (GitHub Advisory).