CVE-2024-37897 – github.com/drakkan/sftpgo/v2

Package

Manager: go
Name: github.com/drakkan/sftpgo/v2
Vulnerable Version: >=2.2.0 <2.6.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00126 pctl0.32652

Details

SFTPGo has insufficient access control for password reset ### Impact SFTPGo WebAdmin and WebClient support password reset. This feature is disabled in the default configuration. In SFTPGo versions prior to v2.6.1, if the feature is enabled, even users with access restrictions (e.g. expired) can reset their password and log in. ### Patches Fixed in v2.6.1. ### Workarounds The following workarounds are available: - keep the password reset feature disabled. - Set a blank email address for users and admins with access restrictions so they cannot receive the email with the reset code and exploit the vulnerability.

Metadata

Created: 2024-06-20T16:11:48Z
Modified: 2024-06-20T19:16:28Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-hw5f-6wvv-xcrh/GHSA-hw5f-6wvv-xcrh.json
CWE IDs: ["CWE-287", "CWE-863"]
Alternative ID: GHSA-hw5f-6wvv-xcrh
Finding: F006
Auto approve: 1