Lucene search

K
githubGitHub Advisory DatabaseGHSA-6PM2-J2V8-H3CJ
HistoryFeb 06, 2023 - 9:30 p.m.

Withdrawn: Fortra GoAnywhere MFT Deserialization of Untrusted Data vulnerability affects metasploit-framework

2023-02-0621:30:29
CWE-502
GitHub Advisory Database
github.com
54
fortra goanywhere mft
pre-authentication
command injection
vulnerability
license response servlet
deserialization

CVSS3

7.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS

0.969

Percentile

99.7%

Withdrawn

This advisory has been withdrawn because it was incorrectly associated with the metasploit-framework package, which is not affected by this CVE, and the actual vulnerable component does not fit within our supported ecosystems. This link is maintained to preserve external references.

Original Description

Fortra (formerly, HelpSystems) GoAnywhere MFT suffers from a pre-authentication command injection vulnerability in the License Response Servlet due to deserializing an arbitrary attacker-controlled object.

Affected configurations

Vulners
Node
metasploitmetasploit_frameworkRange≀6.0.33
CPENameOperatorVersion
metasploit-frameworkle6.0.33

CVSS3

7.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS

0.969

Percentile

99.7%