Headline
GHSA-hw5f-6wvv-xcrh: SFTPGo has insufficient access control for password reset
Impact
SFTPGo WebAdmin and WebClient support password reset. This feature is disabled in the default configuration. In SFTPGo versions prior to v2.6.1, if the feature is enabled, even users with access restrictions (e.g. expired) can reset their password and log in.
Patches
Fixed in v2.6.1.
Workarounds
The following workarounds are available:
- keep the password reset feature disabled.
- Set a blank email address for users and admins with access restrictions so they cannot receive the email with the reset code and exploit the vulnerability.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2024-37897
SFTPGo has insufficient access control for password reset
Moderate severity GitHub Reviewed Published Jun 20, 2024 in drakkan/sftpgo • Updated Jun 20, 2024
Package
gomod github.com/drakkan/sftpgo/v2 (Go)
Affected versions
>= 2.2.0, < 2.6.1
Impact
SFTPGo WebAdmin and WebClient support password reset. This feature is disabled in the default configuration.
In SFTPGo versions prior to v2.6.1, if the feature is enabled, even users with access restrictions (e.g. expired) can reset their password and log in.
Patches
Fixed in v2.6.1.
Workarounds
The following workarounds are available:
- keep the password reset feature disabled.
- Set a blank email address for users and admins with access restrictions so they cannot receive the email with the reset code and exploit the vulnerability.
References
- GHSA-hw5f-6wvv-xcrh
- https://github.com/drakkan/sftpgo/releases/tag/v2.6.1
- drakkan/sftpgo@3462bba
Published to the GitHub Advisory Database
Jun 20, 2024
Last updated
Jun 20, 2024