CVE-2024-25157 - OpenCVE

An authentication bypass vulnerability in GoAnywhere MFT prior to 7.6.0 allows Admin Users with access to the Agent Console to circumvent some permission checks when attempting to visit other pages. This could lead to unauthorized information disclosure or modification.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Fortra	Goanywhere Managed File Transfer

Configuration 1 [-]

cpe:2.3:a:fortra:goanywhere_managed_file_transfer:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.fortra.com/security/advisories/product-security/fi-2024-009

History

Mon, 19 Aug 2024 19:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-287
CPEs		cpe:2.3:a:fortra:goanywhere_managed_file_transfer::::::::

Thu, 15 Aug 2024 14:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Fortra Fortra goanywhere Managed File Transfer
CPEs		cpe:2.3:a:fortra:goanywhere_managed_file_transfer:-:::::::*
Vendors & Products		Fortra Fortra goanywhere Managed File Transfer
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 14 Aug 2024 15:15:00 +0000

Type	Values Removed	Values Added
Description		An authentication bypass vulnerability in GoAnywhere MFT prior to 7.6.0 allows Admin Users with access to the Agent Console to circumvent some permission checks when attempting to visit other pages. This could lead to unauthorized information disclosure or modification.
Title		Authentication bypass in GoAnywhere MFT prior to 7.6.0
Weaknesses		CWE-303
References		https://www.fortra.com/security/advisories/product-security/fi-2024-009
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N'}`

MITRE

Status: PUBLISHED

Assigner: Fortra

Published: 2024-08-14T15:04:10.987Z

Updated: 2024-08-29T03:55:30.276Z

Reserved: 2024-02-06T21:23:57.925Z

Link: CVE-2024-25157

Vulnrichment

Updated: 2024-08-15T13:43:34.116Z

NVD

Status : Analyzed

Published: 2024-08-14T15:15:18.023

Modified: 2024-08-19T18:57:58.657

Link: CVE-2024-25157

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-25157", "assignerOrgId": "df4dee71-de3a-4139-9588-11b62fe6c0ff", "state": "PUBLISHED", "assignerShortName": "Fortra", "dateReserved": "2024-02-06T21:23:57.925Z", "datePublished": "2024-08-14T15:04:10.987Z", "dateUpdated": "2024-08-29T03:55:30.276Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "product": "GoAnywhere MFT", "vendor": "Fortra", "versions": [{"lessThan": "7.6.0", "status": "affected", "version": "6.0.1", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "An authentication bypass vulnerability in GoAnywhere MFT prior to 7.6.0 allows Admin Users with access to the Agent Console to circumvent some permission checks when attempting to visit other pages. This could lead to unauthorized information disclosure or modification."}], "value": "An authentication bypass vulnerability in GoAnywhere MFT prior to 7.6.0 allows Admin Users with access to the Agent Console to circumvent some permission checks when attempting to visit other pages. This could lead to unauthorized information disclosure or modification."}], "impacts": [{"capecId": "CAPEC-114", "descriptions": [{"lang": "en", "value": "CAPEC-114 Authentication Abuse"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-303", "description": "CWE-303: Incorrect Implementation of Authentication Algorithm", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "df4dee71-de3a-4139-9588-11b62fe6c0ff", "shortName": "Fortra", "dateUpdated": "2024-08-14T15:04:10.987Z"}, "references": [{"url": "https://www.fortra.com/security/advisories/product-security/fi-2024-009"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Upgrade to GoAnywhere MFT 7.6.0<br>"}], "value": "Upgrade to GoAnywhere MFT 7.6.0"}], "source": {"discovery": "UNKNOWN"}, "title": "Authentication bypass in GoAnywhere MFT prior to 7.6.0", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"affected": [{"vendor": "fortra", "product": "goanywhere_managed_file_transfer", "cpes": ["cpe:2.3:a:fortra:goanywhere_managed_file_transfer:-:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "6.0.1", "status": "affected", "lessThan": "7.6.0", "versionType": "semver"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-28T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2024-25157"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-29T03:55:30.276Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-25157", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-08-15T13:43:07.739617Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:fortra:goanywhere_managed_file_transfer:-:*:*:*:*:*:*:*"], "vendor": "fortra", "product": "goanywhere_managed_file_transfer", "versions": [{"status": "affected", "version": "6.0.1", "lessThan": "7.6.0", "versionType": "semver"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-15T13:43:34.116Z"}}], "cna": {"title": "Authentication bypass in GoAnywhere MFT prior to 7.6.0", "source": {"discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-114", "descriptions": [{"lang": "en", "value": "CAPEC-114 Authentication Abuse"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Fortra", "product": "GoAnywhere MFT", "versions": [{"status": "affected", "version": "6.0.1", "lessThan": "7.6.0", "versionType": "semver"}], "defaultStatus": "affected"}], "solutions": [{"lang": "en", "value": "Upgrade to GoAnywhere MFT 7.6.0", "supportingMedia": [{"type": "text/html", "value": "Upgrade to GoAnywhere MFT 7.6.0<br>", "base64": false}]}], "references": [{"url": "https://www.fortra.com/security/advisories/product-security/fi-2024-009"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "An authentication bypass vulnerability in GoAnywhere MFT prior to 7.6.0 allows Admin Users with access to the Agent Console to circumvent some permission checks when attempting to visit other pages. This could lead to unauthorized information disclosure or modification.", "supportingMedia": [{"type": "text/html", "value": "An authentication bypass vulnerability in GoAnywhere MFT prior to 7.6.0 allows Admin Users with access to the Agent Console to circumvent some permission checks when attempting to visit other pages. This could lead to unauthorized information disclosure or modification.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-303", "description": "CWE-303: Incorrect Implementation of Authentication Algorithm"}]}], "providerMetadata": {"orgId": "df4dee71-de3a-4139-9588-11b62fe6c0ff", "shortName": "Fortra", "dateUpdated": "2024-08-14T15:04:10.987Z"}}}, "cveMetadata": {"cveId": "CVE-2024-25157", "state": "PUBLISHED", "dateUpdated": "2024-08-29T03:55:30.276Z", "dateReserved": "2024-02-06T21:23:57.925Z", "assignerOrgId": "df4dee71-de3a-4139-9588-11b62fe6c0ff", "datePublished": "2024-08-14T15:04:10.987Z", "assignerShortName": "Fortra"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:fortra:goanywhere_managed_file_transfer:*:*:*:*:*:*:*:*", "matchCriteriaId": "473E0873-F26C-4E9A-B58A-CF853E6F07DF", "versionEndExcluding": "7.6.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An authentication bypass vulnerability in GoAnywhere MFT prior to 7.6.0 allows Admin Users with access to the Agent Console to circumvent some permission checks when attempting to visit other pages. This could lead to unauthorized information disclosure or modification."}, {"lang": "es", "value": "Una vulnerabilidad de omisi\u00f3n de autenticaci\u00f3n en GoAnywhere MFT anterior a 7.6.0 permite a los usuarios administradores con acceso a la consola del agente omitir algunas comprobaciones de permisos cuando intentan visitar otras p\u00e1ginas. Esto podr\u00eda dar lugar a la divulgaci\u00f3n o modificaci\u00f3n no autorizada de informaci\u00f3n."}], "id": "CVE-2024-25157", "lastModified": "2024-08-19T18:57:58.657", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.2, "source": "df4dee71-de3a-4139-9588-11b62fe6c0ff", "type": "Secondary"}]}, "published": "2024-08-14T15:15:18.023", "references": [{"source": "df4dee71-de3a-4139-9588-11b62fe6c0ff", "tags": ["Vendor Advisory"], "url": "https://www.fortra.com/security/advisories/product-security/fi-2024-009"}], "sourceIdentifier": "df4dee71-de3a-4139-9588-11b62fe6c0ff", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-303"}], "source": "df4dee71-de3a-4139-9588-11b62fe6c0ff", "type": "Secondary"}]}