search

golang / vulndb

[mirror] The Go Vulnerability Database
Other
557 stars 56 forks source link

x/vulndb: potential Go vuln in github.com/drakkan/sftpgo/v2: GHSA-x72p-g37q-4xr9 #3004

Closed GoVulnBot closed 1 week ago

GoVulnBot commented 1 month ago

Advisory GHSA-x72p-g37q-4xr9 references a vulnerability in the following Go modules:

Module
github.com/drakkan/sftpgo
github.com/drakkan/sftpgo/v2

Description: In SFTPGo 2.6.2, the JWT implementation lacks certain security measures, such as using JWT ID (JTI) claims, nonces, and proper expiration and invalidation mechanisms.

References:

Cross references:

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/drakkan/sftpgo
      vulnerable_at: 1.2.2
    - module: github.com/drakkan/sftpgo/v2
      vulnerable_at: 2.6.2
summary: SFTPGo's JWT implmentation lacks certain security measures in github.com/drakkan/sftpgo
cves:
    - CVE-2024-40430
ghsas:
    - GHSA-x72p-g37q-4xr9
references:
    - advisory: https://github.com/advisories/GHSA-x72p-g37q-4xr9
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-40430
    - web: https://alexsecurity.rocks/posts/cve-2024-40430
source:
    id: GHSA-x72p-g37q-4xr9
    created: 2024-07-22T19:01:16.008871088Z
review_status: UNREVIEWED
gopherbot commented 1 month ago

Change https://go.dev/cl/601381 mentions this issue: data/reports: add GO-2024-3004

gopherbot commented 1 month ago

Change https://go.dev/cl/603235 mentions this issue: data/reports: add 29 unreviewed reports

tatianab commented 1 month ago

This vulnerability has been withdrawn. It no longer needs a report.

gopherbot commented 2 weeks ago

Change https://go.dev/cl/607820 mentions this issue: data/excluded: add 3 reports