CVE-2024-41255: Filestash configured to skip TLS certificate verification when using the FTPS protocol
(updated )
filestash v0.4 is configured to skip TLS certificate verification when using the FTPS protocol, possibly allowing attackers to execute a man-in-the-middle attack via the Init function of index.go.
References
- gist.github.com/nyxfqq/c367f2ca9448810924dcf0f1af30b441
- github.com/advisories/GHSA-4jmm-c6jw-g796
- github.com/mickael-kerjean/filestash
- github.com/mickael-kerjean/filestash/blob/master/server/plugin/plg_backend_ftp/index.go
- github.com/mickael-kerjean/filestash/issues/710
- nvd.nist.gov/vuln/detail/CVE-2024-41255
Detect and mitigate CVE-2024-41255 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →