CVE-2024-41255

Description

Filestash v0.4, a file management platform supporting multiple storage protocols, is vulnerable to CVE-2024-41255 because the FTPS plugin’s Init function in index.go skips TLS certificate verification [1][4]. This configuration setting disables the standard TLS handshake step where the client validates the server’s certificate against a trusted CA store, accepting any certificate presented during the connection [2].

Exploitation

An attacker who can intercept network traffic between a Filestash client and a legitimate FTPS server (for example, via ARP spoofing, rogue Wi-Fi, or compromised network infrastructure) can exploit this misconfiguration. Because the client does not verify the server’s TLS certificate, the attacker can present a self-signed or fraudulent certificate and establish a man-in-the-middle (MITM) position without triggering a warning or error [1][3]. No authentication bypass or additional privileges are required; the attack is possible over the network.

Impact

Once an attacker is in a MITM position, they can decrypt, read, and modify FTPS traffic, including credentials (username/password) and any files transferred between the client and the server. This fully compromises the confidentiality and integrity of the data exchanged over the FTPS protocol [1][3].

Mitigation

As of the publication date of this CVE, vendors have not yet confirmed a patch for CVE-2024-41255. The project maintainer recommends enabling certificate verification by modifying the FTPS plugin configuration in the source code (specifically index.go) or following any official advisory updates from the Filestash repository [2][4]. Users should also consider using alternative secure transfer protocols (e.g., SFTP) or implementing network-level controls (e.g., IPsec) until a patched version is released.