x/vulndb: potential Go vuln in github.com/drakkan/sftpgo: CVE-2024-52309

Advisory CVE-2024-52309 references a vulnerability in the following Go modules:

Module
github.com/drakkan/sftpgo

Description: SFTPGo is a full-featured and highly configurable SFTP, HTTP/S, FTP/S and WebDAV server - S3, Google Cloud Storage, Azure Blob. One powerful feature of SFTPGo is the ability to have the EventManager execute scripts or run applications in response to certain events. This feature is very common in all software similar to SFTPGo and is generally unrestricted. However, any SFTPGo administrator with permission to run a script has access to the underlying OS/container with the same permissions as the user running SFTPGo. This is unexpected for some SFTPGo administrators who think that there is a cle...

References:

Cross references:

github.com/drakkan/sftpgo appears in 3 other report(s):
- data/reports/GO-2022-0964.yaml (https://github.com/golang/vulndb/issues/964)
- data/reports/GO-2022-1015.yaml (https://github.com/golang/vulndb/issues/1015)
- data/reports/GO-2024-2940.yaml (https://github.com/golang/vulndb/issues/2940)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/drakkan/sftpgo
      vulnerable_at: 1.2.2
summary: CVE-2024-52309 in github.com/drakkan/sftpgo
cves:
    - CVE-2024-52309
references:
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-52309
    - fix: https://github.com/drakkan/sftpgo/commit/88b1850b5806eee81150873d4e565144b21021fb
    - fix: https://github.com/drakkan/sftpgo/commit/b524da11e9466d05fe03304713ee1c61bb276ec4
    - web: https://github.com/drakkan/sftpgo/security/advisories/GHSA-49cc-xrjf-9qf7
source:
    id: CVE-2024-52309
    created: 2024-11-21T19:01:14.832903437Z
review_status: UNREVIEWED

golang / vulndb

x/vulndb: potential Go vuln in github.com/drakkan/sftpgo: CVE-2024-52309 #3283