CVE-2024-38909: Studio 42 elFinder vulnerable to Incorrect Access Control

July 30, 2024 (updated October 25, 2024)

Studio 42 elFinder 2.1.64 is vulnerable to Incorrect Access Control. Copying files with an unauthorized extension between server directories allows an arbitrary attacker to expose secrets, perform RCE, etc.

References

github.com/B0D0B0P0T/CVE/blob/main/CVE-2024-38909
github.com/Studio-42/elFinder
github.com/advisories/GHSA-3h9f-mm2x-4j58
nvd.nist.gov/vuln/detail/CVE-2024-38909

Detect and mitigate CVE-2024-38909 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →