Wesley van de Kamp discovered a vulnerability in FileSender versions 2.15 through 2.50 that enables non-admin users to delete the API secrets of all users, potentially disrupting REST clients such as the Python command-line client by removing essential API keys. We are keen to ensure that everyone from the FileSender deployer community is informed and is running a FileSender instance above 2.50.
At FileSender, our commitment to maintaining a secure and trustworthy platform is paramount. To release new FileSender versions with rather major changes, it is vitally important to conduct full-system security audits. FileSender always asks an external organisation to perform an audit (blackbox, whitebox, sourcecode audit) before releasing it as stable. This contributes to identifying and addressing any potential vulnerabilities, and maintaining the highest security standards for users.
In addition to the external audit, we are committed to fostering strong relationships with the cybersecurity community. We would like to highlight the exemplary efforts of Wesley van de Kamp, a professional security pentester, whose responsible disclosure strengthened the security of our open-source software. A high-severity vulnerability was identified in FileSender versions 2.15 through 2.50. This vulnerability was classified under CVE-2024-55038.
CVE details
- CVE Identifier: CVE-2024-55038
- Severity Rating: 7.1 (High)
- Affected Versions: FileSender versions 2.15 through 2.50
- Discovered By: Wesley van de Kamp
- Issue Type: Improper Access Control
- Impact: Enables non-admin users to delete API secrets
- Urgency: Medium
Understanding the severity of this vulnerability, our Lead Developer prioritized its fixing. The issue has been resolved since FileSender versions 2.51 and 3.0rc4. To mitigate this risk, we encourage all FileSender users to update to the latest versions.
The role of the Cybersecurity Community
Demonstrating commendable professionalism, Wesley reported the discovered vulnerability through the Coordinated Vulnerability Disclosure procedure at SURF, the Dutch NREN. Coordinated Vulnerability Disclosure is a collaborative process where security researchers responsibly report vulnerabilities to software maintainers, allowing time for resolution before public disclosure. This approach ensures that vulnerabilities are addressed effectively, minimizing potential risks to users and maintaining the integrity of the software ecosystem. Wesley’s adherence to Coordinated Vulnerability Disclosure best practices ensured that the issue was addressed promptly and securely, safeguarding our user community from potential exploitation.
Wesley’s dedication to uncovering and responsibly disclosing this vulnerability was inspired by the Critical Thinking – Bug Bounty Podcast, particularly an episode featuring Dr. Jonathan Bouman. In this episode, Jonathan discusses his dual roles as a hacker and healthcare professional, ethical hacking considerations in sensitive fields, and his experiences with Amazon’s bug bounty program.
“As a cybersecurity researcher, I believe it is essential to share my knowledge and experience to inspire young people to enter the field. By doing so together, we can contribute to making the internet a safer place for everyone.”
Such narratives inspire security professionals like Wesley to engage in responsible disclosure, reinforcing the collaborative spirit essential for robust cybersecurity.
We extend our gratitude to Wesley van de Kamp for his work and dedication to improving FileSender’s security. His actions exemplify the positive impact that responsible disclosure can have on the broader technology ecosystem.
To upgrade to the latest secure version of FileSender, please download it from our releases page on GitHub and follow the provided instructions. Your prompt action is essential in safeguarding your data and maintaining the integrity of your FileSender deployment.
