GoogleOSV:GHSA-HW5F-6WVV-XCRHSFTPGo has insufficient access control for password reset
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
AI Score
Confidence
Low
EPSS
Percentile
9.0%
Impact
SFTPGo WebAdmin and WebClient support password reset. This feature is disabled in the default configuration.
In SFTPGo versions prior to v2.6.1, if the feature is enabled, even users with access restrictions (e.g. expired) can reset their password and log in.
Patches
Fixed in v2.6.1.
Workarounds
The following workarounds are available:
- keep the password reset feature disabled.
- Set a blank email address for users and admins with access restrictions so they cannot receive the email with the reset code and exploit the vulnerability.
References
github.com/drakkan/sftpgo
github.com/drakkan/sftpgo/commit/1f8ac8bfe16100b0484d6c91e1e8361687324423
github.com/drakkan/sftpgo/commit/3462bba3f41cbc75486474991b9e3ac1b5f1e583
github.com/drakkan/sftpgo/releases/tag/v2.6.1
github.com/drakkan/sftpgo/security/advisories/GHSA-hw5f-6wvv-xcrh
nvd.nist.gov/vuln/detail/CVE-2024-37897
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
AI Score
Confidence
Low
EPSS
Percentile
9.0%