Skip to content

x/vulndb: potential Go vuln in github.com/drakkan/sftpgo/v2: GHSA-x72p-g37q-4xr9 #3004

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
GoVulnBot opened this issue Jul 22, 2024 · 4 comments
Closed

x/vulndb: potential Go vuln in github.com/drakkan/sftpgo/v2: GHSA-x72p-g37q-4xr9 #3004

GoVulnBot opened this issue Jul 22, 2024 · 4 comments
Labels
excluded: WITHDRAWN The source report was withdrawn before we published it in vulndb. triaged

Comments

@GoVulnBot
Copy link

Advisory GHSA-x72p-g37q-4xr9 references a vulnerability in the following Go modules:

Module
github.com/drakkan/sftpgo
github.com/drakkan/sftpgo/v2

Description:
In SFTPGo 2.6.2, the JWT implementation lacks certain security measures, such as using JWT ID (JTI) claims, nonces, and proper expiration and invalidation mechanisms.

References:

Cross references:

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/drakkan/sftpgo
      vulnerable_at: 1.2.2
    - module: github.com/drakkan/sftpgo/v2
      vulnerable_at: 2.6.2
summary: SFTPGo's JWT implmentation lacks certain security measures in github.com/drakkan/sftpgo
cves:
    - CVE-2024-40430
ghsas:
    - GHSA-x72p-g37q-4xr9
references:
    - advisory: https://github.com/advisories/GHSA-x72p-g37q-4xr9
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-40430
    - web: https://alexsecurity.rocks/posts/cve-2024-40430
source:
    id: GHSA-x72p-g37q-4xr9
    created: 2024-07-22T19:01:16.008871088Z
review_status: UNREVIEWED
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/601381 mentions this issue: data/reports: add GO-2024-3004

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/603235 mentions this issue: data/reports: add 29 unreviewed reports

@tatianab
Copy link
Contributor

tatianab commented Aug 5, 2024

This vulnerability has been withdrawn. It no longer needs a report.

@tatianab tatianab closed this as completed Aug 5, 2024
@tatianab tatianab added excluded: OUT_OF_SCOPE This issue is out of scope for this issue tracker. excluded: WITHDRAWN The source report was withdrawn before we published it in vulndb. and removed excluded: OUT_OF_SCOPE This issue is out of scope for this issue tracker. labels Aug 21, 2024
@tatianab tatianab reopened this Aug 23, 2024
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/607820 mentions this issue: data/excluded: add 3 reports

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
excluded: WITHDRAWN The source report was withdrawn before we published it in vulndb. triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ianthehat @tatianab @gopherbot @GoVulnBot