GHSA-hw5f-6wvv-xcrh

Suggest an improvement
Source
https://github.com/advisories/GHSA-hw5f-6wvv-xcrh
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-hw5f-6wvv-xcrh/GHSA-hw5f-6wvv-xcrh.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-hw5f-6wvv-xcrh
Aliases
Published
2024-06-20T16:11:48Z
Modified
2024-06-28T15:58:24.624582Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
  • 6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
SFTPGo has insufficient access control for password reset
Details

Impact

SFTPGo WebAdmin and WebClient support password reset. This feature is disabled in the default configuration. In SFTPGo versions prior to v2.6.1, if the feature is enabled, even users with access restrictions (e.g. expired) can reset their password and log in.

Patches

Fixed in v2.6.1.

Workarounds

The following workarounds are available:

  • keep the password reset feature disabled.
  • Set a blank email address for users and admins with access restrictions so they cannot receive the email with the reset code and exploit the vulnerability.
References

Affected packages

Go / github.com/drakkan/sftpgo/v2

Package

Name
github.com/drakkan/sftpgo/v2
View open source insights on deps.dev
Purl
pkg:golang/github.com/drakkan/sftpgo/v2

Affected ranges

Type
SEMVER
Events
Introduced
2.2.0
Fixed
2.6.1