CVE-2024-41255 – github.com/mickael-kerjean/filestash

Package

Manager: go
Name: github.com/mickael-kerjean/filestash
Vulnerable Version: >=0 <=0.4

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00041 pctl0.11512

Details

Filestash configured to skip TLS certificate verification when using the FTPS protocol filestash v0.4 is configured to skip TLS certificate verification when using the FTPS protocol, possibly allowing attackers to execute a man-in-the-middle attack via the Init function of index.go.

Metadata

Created: 2024-07-31T21:32:38Z
Modified: 2024-09-06T21:37:51Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-4jmm-c6jw-g796/GHSA-4jmm-c6jw-g796.json
CWE IDs: ["CWE-295", "CWE-453"]
Alternative ID: GHSA-4jmm-c6jw-g796
Finding: F163
Auto approve: 1