github - ghsa-x72p-g37q-4xr9

ghsa-x72p-g37q-4xr9

Vulnerability from github

Published

2024-07-22 09:31

Modified

2024-07-31 18:42

Severity

6.5 (Medium) - CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
7.1 (High) - CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Summary

Withdrawn: SFTPGo's JWT implmentation lacks certain security measures

Details

Withdrawn: The attack vector described in the backing report required that an attacker gain access to a user's session cookie. By gaining access to the session cookie the attacker is for all intents and purposes the valid user and any access to user data would be expected.

~In SFTPGo 2.6.2, the JWT implementation lacks certain security measures, such as using JWT ID (JTI) claims, nonces, and proper expiration and invalidation mechanisms.~

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/drakkan/sftpgo/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2.6.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-40430"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-323",
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-07-22T18:46:59Z",
    "nvd_published_at": "2024-07-22T07:15:02Z",
    "severity": "MODERATE"
  },
  "details": "Withdrawn:\nThe attack vector described in the backing report required that an attacker gain access to a user\u0027s session cookie. By gaining access to the session cookie the attacker is for all intents and purposes the valid user and any access to user data would be expected.\n\n~In SFTPGo 2.6.2, the JWT implementation lacks certain security measures, such as using JWT ID (JTI) claims, nonces, and proper expiration and invalidation mechanisms.~",
  "id": "GHSA-x72p-g37q-4xr9",
  "modified": "2024-07-31T18:42:56Z",
  "published": "2024-07-22T09:31:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40430"
    },
    {
      "type": "WEB",
      "url": "https://github.com/github/advisory-database/pull/4645"
    },
    {
      "type": "WEB",
      "url": "https://alexsecurity.rocks/posts/cve-2024-40430"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/drakkan/sftpgo"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Withdrawn: SFTPGo\u0027s JWT implmentation lacks certain security measures",
  "withdrawn": "2024-07-31T18:42:56Z"
}

cve-2024-40430

Vulnerability from cvelistv5

Published

2024-07-22 00:00

Modified

2024-08-02 04:33

Severity

6.5 (Medium) - cvssV3_1 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Summary

In SFTPGO 2.6.2, the JWT implementation lacks certain security measures, such as using JWT ID (JTI) claims, nonces, and proper expiration and invalidation mechanisms. NOTE: The vendor argues that the prerequisite for this exploit is to be able to steal another user's cookie. Additionally, it is argued that SFTPGo validates cookies being used by the IP address it was issued to, so stolen cookies from different IP addresses will not work.

References

URL	Tags
https://alexsecurity.rocks/posts/cve-2024-40430/
https://github.com/github/advisory-database/pull/4645

Impacted products

Vendor	Product
n/a	n/a

Show details on NVD website