CVE-2024-52801

Nov. 29, 2024, 7:15 p.m.

None
No Score

Description

sftpgo is a full-featured and highly configurable event-driven file transfer solution. Server protocols: SFTP, HTTP/S, FTP/S, WebDAV. The OpenID Connect implementation allows authenticated users to brute force session cookies and thereby gain access to other users' data, since the cookies are generated predictably using the xid library and are therefore unique but not cryptographically secure. This issue was fixed in version v2.6.4, where cookies are opaque and cryptographically secure strings. All users are advised to upgrade. There are no known workarounds for this vulnerability.

Product(s) Impacted

Product Versions
sftpgo
  • ['2.6.4']

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-327
Use of a Broken or Risky Cryptographic Algorithm
The product uses a broken or risky cryptographic algorithm or protocol.

References

https://github.com/drakkan/sftpgo/commit/f30a9a2095bf90c0661b04fe038e3b7efc788bc6
https://github.com/drakkan/sftpgo/security/advisories/GHSA-6943-qr24-82vx
https://github.com/rs/xid

Tags

security-advisories@github.com
CWE-327
2024-11-29
CVE-2024-52801

Timeline

Published: Nov. 29, 2024, 7:15 p.m.
Last Modified: Nov. 29, 2024, 7:15 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.