PT-2024-4465 · Sftpgo · Sftpgo

T7Tran

Published

2024-06-07

Updated

2024-06-28

CVE-2024-37897

CVSS v4.0

6.3

Medium

Vector

AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions SFTPGo versions prior to v2.6.1

Description The issue is related to insufficient access control for password reset in SFTPGo, allowing users with access restrictions to reset their password and log in, even if their access has expired. This can be exploited by a remote attacker to bypass existing security restrictions. The password reset feature is disabled by default, but if enabled, it poses a risk.

Recommendations For SFTPGo versions prior to v2.6.1, upgrade to version 2.6.1. As a temporary workaround, consider keeping the password reset feature disabled. Alternatively, set a blank email address for users and admins with access restrictions so they cannot receive the email with the reset code and exploit the vulnerability.

Exploit

Fix

Incorrect Authorization

Improper Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-863CWE-287

Related Identifiers

BDU:2024-04967

CVE-2024-37897

GHSA-HW5F-6WVV-XCRH

GO-2024-2940

Affected Products

Sftpgo

PT-2024-4465 · Sftpgo · Sftpgo

CVE-2024-37897

Weakness Enumeration

Related Identifiers

Affected Products

References · 16