Skip to content

SFTPGo has insufficient access control for password reset

Moderate severity GitHub Reviewed Published Jun 20, 2024 in drakkan/sftpgo • Updated Jun 20, 2024

Package

gomod github.com/drakkan/sftpgo/v2 (Go)

Affected versions

>= 2.2.0, < 2.6.1

Patched versions

2.6.1

Description

Impact

SFTPGo WebAdmin and WebClient support password reset. This feature is disabled in the default configuration.
In SFTPGo versions prior to v2.6.1, if the feature is enabled, even users with access restrictions (e.g. expired) can reset their password and log in.

Patches

Fixed in v2.6.1.

Workarounds

The following workarounds are available:

  • keep the password reset feature disabled.
  • Set a blank email address for users and admins with access restrictions so they cannot receive the email with the reset code and exploit the vulnerability.

References

@drakkan drakkan published to drakkan/sftpgo Jun 20, 2024
Published to the GitHub Advisory Database Jun 20, 2024
Reviewed Jun 20, 2024
Published by the National Vulnerability Database Jun 20, 2024
Last updated Jun 20, 2024

Severity

Moderate
6.5
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Weaknesses

CVE ID

CVE-2024-37897

GHSA ID

GHSA-hw5f-6wvv-xcrh

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.