Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1odzVmLTZ3dnYteGNyaM4AA9Pu

SFTPGo has insufficient access control for password reset

Impact

SFTPGo WebAdmin and WebClient support password reset. This feature is disabled in the default configuration.
In SFTPGo versions prior to v2.6.1, if the feature is enabled, even users with access restrictions (e.g. expired) can reset their password and log in.

Patches

Fixed in v2.6.1.

Workarounds

The following workarounds are available:

keep the password reset feature disabled.
Set a blank email address for users and admins with access restrictions so they cannot receive the email with the reset code and exploit the vulnerability.

Permalink: https://github.com/advisories/GHSA-hw5f-6wvv-xcrh
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1odzVmLTZ3dnYteGNyaM4AA9Pu
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 5 months ago
Updated: 4 months ago

CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Identifiers: GHSA-hw5f-6wvv-xcrh, CVE-2024-37897
References:

Repository: https://github.com/drakkan/sftpgo
Blast Radius: 0.0

Affected Packages

go:github.com/drakkan/sftpgo/v2

Dependent packages: 7
Dependent repositories: 1
Downloads:
Affected Version Ranges: >= 2.2.0, < 2.6.1
Fixed in: 2.6.1
All affected versions: 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.4.5, 2.4.6, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.5.4, 2.5.5, 2.5.6, 2.6.0
All unaffected versions: 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.1.0, 2.1.1, 2.1.2, 2.6.1, 2.6.2, 2.6.3