GHSA-hw5f-6wvv-xcrh
Suggest an improvement- Source
- https://github.com/advisories/GHSA-hw5f-6wvv-xcrh
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-hw5f-6wvv-xcrh/GHSA-hw5f-6wvv-xcrh.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-hw5f-6wvv-xcrh
- Aliases
- Related
- Published
- 2024-06-20T16:11:48Z
- Modified
- 2024-06-28T15:59:45.177545Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
- 6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- SFTPGo has insufficient access control for password reset
- Details
-
Impact
SFTPGo WebAdmin and WebClient support password reset. This feature is disabled in the default configuration. In SFTPGo versions prior to v2.6.1, if the feature is enabled, even users with access restrictions (e.g. expired) can reset their password and log in.
Patches
Fixed in v2.6.1.
Workarounds
The following workarounds are available:
- keep the password reset feature disabled.
- Set a blank email address for users and admins with access restrictions so they cannot receive the email with the reset code and exploit the vulnerability.
- Database specific
{ "nvd_published_at": "2024-06-20T18:15:13Z", "cwe_ids": [ "CWE-287", "CWE-863" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2024-06-20T16:11:48Z" }- References
-
- https://github.com/drakkan/sftpgo/security/advisories/GHSA-hw5f-6wvv-xcrh
- https://nvd.nist.gov/vuln/detail/CVE-2024-37897
- https://github.com/drakkan/sftpgo/commit/1f8ac8bfe16100b0484d6c91e1e8361687324423
- https://github.com/drakkan/sftpgo/commit/3462bba3f41cbc75486474991b9e3ac1b5f1e583
- https://github.com/drakkan/sftpgo
- https://github.com/drakkan/sftpgo/releases/tag/v2.6.1
Affected packages
Go / github.com/drakkan/sftpgo/v2
Package
- Name
- github.com/drakkan/sftpgo/v2
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/drakkan/sftpgo/v2