CVE-2024-37897

2024-06-2018:15:13

CWE-287

[email protected]

web.nvd.nist.gov

sftpgo

password reset

access restrictions

vulnerability

upgrade

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

0.0004 Low

EPSS

Percentile

9.1%

JSON

SFTPGo is a full-featured and highly configurable SFTP, HTTP/S, FTP/S and WebDAV server - S3, Google Cloud Storage, Azure Blob. SFTPGo WebAdmin and WebClient support password reset. This feature is disabled in the default configuration.
In SFTPGo versions prior to v2.6.1, if the feature is enabled, even users with access restrictions (e.g. expired) can reset their password and log in. Users are advised to upgrade to version 2.6.1. Users unable to upgrade may keep the password reset feature disabled or set a blank email address for users and admins with access restrictions so they cannot receive the email with the reset code and exploit the vulnerability.

Affected configurations

Vulners

Node

drakkansftpgoRange2.2.0–2.6.1

CNA Affected

[
  {
    "vendor": "drakkan",
    "product": "sftpgo",
    "versions": [
      {
        "version": ">= 2.2.0, < 2.6.1",
        "status": "affected"
      }
    ]
  }
]