CVE-2024-40430

Name of the Vulnerable Software and Affected Versions SFTPGO version 2.6.2

Description The issue concerns the JWT implementation in SFTPGO, which lacks certain security measures such as using JWT ID (JTI) claims, nonces, and proper expiration and invalidation mechanisms. However, it is noted that exploiting this issue would require an attacker to steal another user's cookie, and SFTPGo validates cookies by the IP address they were issued to, making stolen cookies from different IP addresses ineffective. The attack vector described requires an attacker to gain access to a user's session cookie, essentially making them the valid user with expected access to user data.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.