CVE-2024-41256 – github.com/mickael-kerjean/filestash

Package

Manager: go
Name: github.com/mickael-kerjean/filestash
Vulnerable Version: >=0 <=0.4

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.001 pctl0.28308

Details

Filestash skips TLS certificate verification process when sending out email verification codes Default configurations in the ShareProofVerifier function of filestash v0.4 causes the application to skip the TLS certificate verification process when sending out email verification codes, possibly allowing attackers to access sensitive data via a man-in-the-middle attack.

Metadata

Created: 2024-07-31T21:32:38Z
Modified: 2025-03-19T15:35:13Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-mpvx-whpp-99xj/GHSA-mpvx-whpp-99xj.json
CWE IDs: ["CWE-295"]
Alternative ID: GHSA-mpvx-whpp-99xj
Finding: F163
Auto approve: 1