Lucene search
GoogleOSV:GHSA-X72P-G37Q-4XR9HistoryJul 22, 2024 - 9:31 a.m.
SFTPGo's JWT implmentation lacks certain security measures
2024-07-2209:31:55
Google
osv.dev
6
sftpgo
2.6.2
jwt
security measures
expiration
invalidation mechanisms
CVSS3
5.3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
AI Score
7
Confidence
High
EPSS
0
Percentile
9.6%
In SFTPGo 2.6.2, the JWT implementation lacks certain security measures, such as using JWT ID (JTI) claims, nonces, and proper expiration and invalidation mechanisms.
Related
vulnrichment
vulnrichment
CVE-2024-40430
2024-07-22 00:00:00
nvd
nvd
CVE-2024-40430
2024-07-22 07:15:02
cve
cve
CVE-2024-40430
2024-07-22 07:15:02
cvelist
cvelist
CVE-2024-40430
2024-07-22 00:00:00
github
github
Withdrawn: SFTPGo's JWT implmentation lacks certain security measures
2024-07-22 09:31:55
osv
osv
CVE-2024-40430
2024-07-22 07:15:02
veracode
veracode
Insecure Direct Object Reference (IDOR)
2024-07-23 06:55:43
CVSS3
5.3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
AI Score
7
Confidence
High
EPSS
0
Percentile
9.6%
Related for OSV:GHSA-X72P-G37Q-4XR9