{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-37897", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-06-10T19:54:41.361Z", "datePublished": "2024-06-20T17:32:52.623Z", "dateUpdated": "2024-08-02T04:04:23.422Z"}, "containers": {"cna": {"title": "Insufficient access control for password reset in sftpgo", "problemTypes": [{"descriptions": [{"cweId": "CWE-287", "lang": "en", "description": "CWE-287: Improper Authentication", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/drakkan/sftpgo/security/advisories/GHSA-hw5f-6wvv-xcrh", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/drakkan/sftpgo/security/advisories/GHSA-hw5f-6wvv-xcrh"}, {"name": "https://github.com/drakkan/sftpgo/commit/1f8ac8bfe16100b0484d6c91e1e8361687324423", "tags": ["x_refsource_MISC"], "url": "https://github.com/drakkan/sftpgo/commit/1f8ac8bfe16100b0484d6c91e1e8361687324423"}], "affected": [{"vendor": "drakkan", "product": "sftpgo", "versions": [{"version": ">= 2.2.0, < 2.6.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-06-20T17:32:52.623Z"}, "descriptions": [{"lang": "en", "value": "SFTPGo is a full-featured and highly configurable SFTP, HTTP/S, FTP/S and WebDAV server - S3, Google Cloud Storage, Azure Blob. SFTPGo WebAdmin and WebClient support password reset. This feature is disabled in the default configuration.\nIn SFTPGo versions prior to v2.6.1, if the feature is enabled, even users with access restrictions (e.g. expired) can reset their password and log in. Users are advised to upgrade to version 2.6.1. Users unable to upgrade may keep the password reset feature disabled or set a blank email address for users and admins with access restrictions so they cannot receive the email with the reset code and exploit the vulnerability."}], "source": {"advisory": "GHSA-hw5f-6wvv-xcrh", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "sftpgo_project", "product": "sftpgo", "cpes": ["cpe:2.3:a:sftpgo_project:sftpgo:2.2.0:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "2.2.0", "status": "affected", "lessThan": "2.6.1", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-27T13:14:38.624575Z", "id": "CVE-2024-37897", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-01T18:31:04.569Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:04:23.422Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/drakkan/sftpgo/security/advisories/GHSA-hw5f-6wvv-xcrh", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/drakkan/sftpgo/security/advisories/GHSA-hw5f-6wvv-xcrh"}, {"name": "https://github.com/drakkan/sftpgo/commit/1f8ac8bfe16100b0484d6c91e1e8361687324423", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/drakkan/sftpgo/commit/1f8ac8bfe16100b0484d6c91e1e8361687324423"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/drakkan/sftpgo/security/advisories/GHSA-hw5f-6wvv-xcrh", "name": "https://github.com/drakkan/sftpgo/security/advisories/GHSA-hw5f-6wvv-xcrh", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/drakkan/sftpgo/commit/1f8ac8bfe16100b0484d6c91e1e8361687324423", "name": "https://github.com/drakkan/sftpgo/commit/1f8ac8bfe16100b0484d6c91e1e8361687324423", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:04:23.422Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-37897", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-06-27T13:14:38.624575Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:sftpgo_project:sftpgo:2.2.0:*:*:*:*:*:*:*"], "vendor": "sftpgo_project", "product": "sftpgo", "versions": [{"status": "affected", "version": "2.2.0", "lessThan": "2.6.1", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-27T00:07:08.188Z"}}], "cna": {"title": "Insufficient access control for password reset in sftpgo", "source": {"advisory": "GHSA-hw5f-6wvv-xcrh", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "drakkan", "product": "sftpgo", "versions": [{"status": "affected", "version": ">= 2.2.0, < 2.6.1"}]}], "references": [{"url": "https://github.com/drakkan/sftpgo/security/advisories/GHSA-hw5f-6wvv-xcrh", "name": "https://github.com/drakkan/sftpgo/security/advisories/GHSA-hw5f-6wvv-xcrh", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/drakkan/sftpgo/commit/1f8ac8bfe16100b0484d6c91e1e8361687324423", "name": "https://github.com/drakkan/sftpgo/commit/1f8ac8bfe16100b0484d6c91e1e8361687324423", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "SFTPGo is a full-featured and highly configurable SFTP, HTTP/S, FTP/S and WebDAV server - S3, Google Cloud Storage, Azure Blob. SFTPGo WebAdmin and WebClient support password reset. This feature is disabled in the default configuration.\nIn SFTPGo versions prior to v2.6.1, if the feature is enabled, even users with access restrictions (e.g. expired) can reset their password and log in. Users are advised to upgrade to version 2.6.1. Users unable to upgrade may keep the password reset feature disabled or set a blank email address for users and admins with access restrictions so they cannot receive the email with the reset code and exploit the vulnerability."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-287", "description": "CWE-287: Improper Authentication"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-06-20T17:32:52.623Z"}}}, "cveMetadata": {"cveId": "CVE-2024-37897", "state": "PUBLISHED", "dateUpdated": "2024-08-02T04:04:23.422Z", "dateReserved": "2024-06-10T19:54:41.361Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-06-20T17:32:52.623Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "SFTPGo is a full-featured and highly configurable SFTP, HTTP/S, FTP/S and WebDAV server - S3, Google Cloud Storage, Azure Blob. SFTPGo WebAdmin and WebClient support password reset. This feature is disabled in the default configuration.\nIn SFTPGo versions prior to v2.6.1, if the feature is enabled, even users with access restrictions (e.g. expired) can reset their password and log in. Users are advised to upgrade to version 2.6.1. Users unable to upgrade may keep the password reset feature disabled or set a blank email address for users and admins with access restrictions so they cannot receive the email with the reset code and exploit the vulnerability."}, {"lang": "es", "value": "SFTPGo es un servidor SFTP, HTTP/S, FTP/S y WebDAV con todas las funciones y altamente configurable: S3, Google Cloud Storage, Azure Blob. SFTPGo WebAdmin y WebClient admiten el restablecimiento de contrase\u00f1a. Esta caracter\u00edstica est\u00e1 deshabilitada en la configuraci\u00f3n predeterminada. En las versiones de SFTPGo anteriores a la v2.6.1, si la funci\u00f3n est\u00e1 habilitada, incluso los usuarios con restricciones de acceso (por ejemplo, vencidas) pueden restablecer su contrase\u00f1a e iniciar sesi\u00f3n. Se recomienda a los usuarios que actualicen a la versi\u00f3n 2.6.1. Los usuarios que no puedan actualizar pueden mantener la funci\u00f3n de restablecimiento de contrase\u00f1a desactivada o establecer una direcci\u00f3n de correo electr\u00f3nico en blanco para los usuarios y administradores con restricciones de acceso para que no puedan recibir el correo electr\u00f3nico con el c\u00f3digo de restablecimiento y explotar la vulnerabilidad."}], "id": "CVE-2024-37897", "lastModified": "2024-11-21T09:24:29.623", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-06-20T18:15:13.023", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/drakkan/sftpgo/commit/1f8ac8bfe16100b0484d6c91e1e8361687324423"}, {"source": "security-advisories@github.com", "url": "https://github.com/drakkan/sftpgo/security/advisories/GHSA-hw5f-6wvv-xcrh"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/drakkan/sftpgo/commit/1f8ac8bfe16100b0484d6c91e1e8361687324423"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/drakkan/sftpgo/security/advisories/GHSA-hw5f-6wvv-xcrh"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}