Learn more about the recommended actions and the maintenance release Redwood has made available to eliminate a minor vulnerability from CVE-2023-50452.

 

In response to security incidents which have impacted other file transfer providers over the past year, Redwood Software has significantly increased its security posture across all File Transfer products, including Cerberus FTP Server.

Recently, an independent cybersecurity researcher, Joran Lereec from Excube Cyber Security, disclosed to Redwood a file path disclosure vulnerability (CVE-2023-50452*) in the web application of Cerberus FTP server. While it appears to not be publicly exploitable, we believe it is essential to share this information with all Cerberus customers.

 

What was found?

 

This minor vulnerability is a full path disclosure in the web application of Cerberus FTP, Version 12.0 through 13.2. Authenticated users could use the “unzip” function to reveal the full path of a server’s file system in error conditions.

Although we do not believe this is publicly exploitable due to the user authentication required to replicate, this error reveals more information than necessary. The release will adjust this error so it provides only a relative path of the server’s file location, further tightening your overall security by eliminating any potential risk.

Were any customers impacted by this?

 

To our knowledge, there has been no impact to customers as there is no known exploit. However, in keeping with our commitment to security, it is highly recommended that you download the maintenance release and upgrade to Version 13.2.1.

 

Where do I download Version 13.2.1? 

 

You can download Version 13.2.1 by following the instructions here. This will modify the “unzip” function error message to provide only a relative path to the authenticated user.

 

Need any help?

 

Our support team is available for any questions and help with this maintenance release. We thank you for choosing Cerberus FTP.

 

*Note: At the time of posting, the CVE was requested and reserved. This note will be removed once the CVE has been fully published.