CVE-2024-45186: FileSender Vulnerability Poses Risk to User Credentials, Immediate Action Required
A severe security flaw has been identified in FileSender, the popular web-based application that allows authenticated users to securely send large files. The vulnerability, classified as CVE-2024-45186, was discovered by security researcher Jonathan Bouman. This server-side template injection vulnerability allows non-authenticated users to retrieve server credentials, putting sensitive data and systems at risk.
FileSender’s vulnerability affects versions below 2.49 and 3.x beta, potentially compromising the integrity of deployments using the platform. The flaw allows unauthorized users to exploit the server’s template processing function, gaining access to critical credentials stored on the server. Although the CVSS score of 7.9 indicates the issue is not critical for every installation, the potential exposure of credentials demands immediate attention from users.
FileSender leverages SimpleSAMLphp for authentication, supporting protocols like SAML2, LDAP, and RADIUS. Its security focus is designed to meet the stringent requirements of the higher education and research communities. However, this vulnerability creates an entry point for unauthorized access, heightening the risk for all users, especially those utilizing S3 storage back-ends, which are particularly vulnerable to potential breaches.
To mitigate the risk, FileSender urges users to upgrade to version 2.49 or the latest 3.x release candidate without delay. While the vulnerability may not affect every deployment, upgrading is essential to safeguard credentials and protect your systems from unauthorized exploitation.
Organizations that use S3 storage back-ends are highly encouraged to prioritize this upgrade, as their infrastructure is more susceptible to the risks posed by this flaw. Failure to update could lead to unauthorized access and data breaches, potentially resulting in severe consequences for affected organizations.
To protect your FileSender deployment, users should:
- Upgrade to FileSender version 2.49 or the latest 3.x release candidate as soon as possible.
- Visit the FileSender GitHub page to download the latest release and follow the upgrade instructions.
- Prioritize the upgrade if using an S3 storage back-end to avoid unauthorized access.
This vulnerability poses a significant risk to the security of your system. By acting promptly, you can mitigate the potential impact of CVE-2024-45186 and protect your FileSender deployment from malicious exploitation.
