CVE-2024-52801

Name of the Vulnerable Software and Affected Versions sftpgo versions prior to v2.6.4

Description The OpenID Connect implementation in sftpgo allows authenticated users to brute force session cookies, gaining access to other users' data. This is because the cookies are generated predictably using the xid library and are unique but not cryptographically secure.

Recommendations For versions prior to v2.6.4, upgrade to version v2.6.4 or later, where cookies are opaque and cryptographically secure strings. As a temporary workaround, consider restricting access to the OpenID Connect implementation until a patch is available. Avoid using the predictably generated session cookies in the affected API endpoints until the issue is resolved.