CVE-2024-40430
First published: Mon Jul 22 2024(Updated: )
In SFTPGO 2.6.2, the JWT implementation lacks certain security measures, such as using JWT ID (JTI) claims, nonces, and proper expiration and invalidation mechanisms. NOTE: The vendor argues that the prerequisite for this exploit is to be able to steal another user's cookie. Additionally, it is argued that SFTPGo validates cookies being used by the IP address it was issued to, so stolen cookies from different IP addresses will not work.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Sftpgo Project Sftpgo | =2.6.2 | |
| go/github.com/drakkan/sftpgo/v2 | <=2.6.2 | |
| =2.6.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- agent/first-publish-date
- agent/type
- agent/author
- agent/weakness
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-x72p-g37q-4xr9
- alias/CVE-2024-40430
- agent/software-canonical-lookup
- agent/references
- agent/severity
- agent/softwarecombine
- collector/nvd-cve
- source/NVD
- collector/github-advisory
- collector/mitre-cve
- source/MITRE
- agent/status
- agent/tags
- collector/nvd-api
- agent/last-modified-date
- agent/event
- agent/description
- agent/trending
- package-manager/go
- vendor/sftpgo project
- canonical/sftpgo project sftpgo
- version/sftpgo project sftpgo/2.6.2
- status/rejected