Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/drakkan/sftpgo: CVE-2024-37897 #2942

Closed
GoVulnBot opened this issue Jun 20, 2024 · 2 comments
Closed

x/vulndb: potential Go vuln in github.com/drakkan/sftpgo: CVE-2024-37897 #2942

GoVulnBot opened this issue Jun 20, 2024 · 2 comments
Assignees
@tatianab
Labels
duplicate triaged

Comments

@GoVulnBot
Copy link

Advisory CVE-2024-37897 references a vulnerability in the following Go modules:

Module
github.com/drakkan/sftpgo

Description:
SFTPGo is a full-featured and highly configurable SFTP, HTTP/S, FTP/S and WebDAV
server - S3, Google Cloud Storage, Azure Blob. SFTPGo WebAdmin and WebClient
support password reset. This feature is disabled in the default configuration.
In SFTPGo versions prior to v2.6.1, if the feature is enabled, even users with
access restrictions (e.g. expired) can reset their password and log in. Users
are advised to upgrade to version 2.6.1. Users unable to upgrade may keep the
password reset feature disabled or set a blank email address for users and
admins with access restrictions so they cannot receiv...

References:

Cross references:

See doc/triage.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/drakkan/sftpgo
      vulnerable_at: 1.2.2
      packages:
        - package: sftpgo
summary: CVE-2024-37897 in github.com/drakkan/sftpgo
cves:
    - CVE-2024-37897
references:
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-37897
    - fix: https://github.com/drakkan/sftpgo/commit/1f8ac8bfe16100b0484d6c91e1e8361687324423
    - web: https://github.com/drakkan/sftpgo/security/advisories/GHSA-hw5f-6wvv-xcrh
source:
    id: CVE-2024-37897
    created: 2024-06-20T19:01:16.029278447Z
review_status: UNREVIEWED
@tatianab tatianab self-assigned this Jun 25, 2024
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/594901 mentions this issue: data/reports: add 18 unreviewed reports

@tatianab
Copy link
Contributor

Duplicate of #2940

@tatianab tatianab marked this as a duplicate of #2940 Jun 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tatianab tatianab

Labels
duplicate triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tatianab @gopherbot @GoVulnBot