CVE-2024-37897: SFTPGo has insufficient access control for password reset

June 20, 2024

SFTPGo WebAdmin and WebClient support password reset. This feature is disabled in the default configuration. In SFTPGo versions prior to v2.6.1, if the feature is enabled, even users with access restrictions (e.g. expired) can reset their password and log in.

References

github.com/advisories/GHSA-hw5f-6wvv-xcrh
github.com/drakkan/sftpgo
github.com/drakkan/sftpgo/commit/3462bba3f41cbc75486474991b9e3ac1b5f1e583
github.com/drakkan/sftpgo/releases/tag/v2.6.1
github.com/drakkan/sftpgo/security/advisories/GHSA-hw5f-6wvv-xcrh
nvd.nist.gov/vuln/detail/CVE-2024-37897

Code Behaviors & Features

Detect and mitigate CVE-2024-37897 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →