GHSA-6943-QR24-82VX

Vulnerability from github – Published: 2024-12-02 17:16 – Updated: 2024-12-02 22:05
VLAI?
Summary
sftpgo vulnerable to brute force takeover of OpenID Connect session cookies
Details

Impact

The OpenID Connect implementation, in the affected SFTPGo versions, allows authenticated users to brute force session cookies and thereby gain access to other users' data, since the cookies are generated predictably using the xid library and are therefore unique but not cryptographically secure.

Patches

This issue was fixed in version v2.6.4, where cookies are opaque and cryptographically secure strings.

References

https://github.com/drakkan/sftpgo/commit/f30a9a2095bf90c0661b04fe038e3b7efc788bc6

Severity ?
5.3 (Medium)
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/drakkan/sftpgo/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.3.0"
            },
            {
              "fixed": "2.6.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-52801"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-327"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-12-02T17:16:34Z",
    "nvd_published_at": "2024-11-29T19:15:08Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nThe OpenID Connect implementation, in the affected SFTPGo versions, allows authenticated users to brute force session cookies and thereby gain access to other users\u0027 data, since the cookies are generated predictably using the [xid](https://github.com/rs/xid) library and are therefore unique but not cryptographically secure.\n\n### Patches\n\nThis issue was fixed in version v2.6.4, where cookies are opaque and cryptographically secure strings.\n\n### References\n\nhttps://github.com/drakkan/sftpgo/commit/f30a9a2095bf90c0661b04fe038e3b7efc788bc6\n",
  "id": "GHSA-6943-qr24-82vx",
  "modified": "2024-12-02T22:05:00Z",
  "published": "2024-12-02T17:16:34Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/drakkan/sftpgo/security/advisories/GHSA-6943-qr24-82vx"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52801"
    },
    {
      "type": "WEB",
      "url": "https://github.com/drakkan/sftpgo/commit/f30a9a2095bf90c0661b04fe038e3b7efc788bc6"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/drakkan/sftpgo"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rs/xid"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ],
  "summary": "sftpgo vulnerable to brute force takeover of OpenID Connect session cookies"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.