x/vulndb: potential Go vuln in github.com/drakkan/sftpgo: CVE-2024-52801

Advisory CVE-2024-52801 references a vulnerability in the following Go modules:

Module
github.com/drakkan/sftpgo

Description: sftpgo is a full-featured and highly configurable event-driven file transfer solution. Server protocols: SFTP, HTTP/S, FTP/S, WebDAV. The OpenID Connect implementation allows authenticated users to brute force session cookies and thereby gain access to other users' data, since the cookies are generated predictably using the xid library and are therefore unique but not cryptographically secure. This issue was fixed in version v2.6.4, where cookies are opaque and cryptographically secure strings. All users are advised to upgrade. There are no known workarounds for this vulnerability.

References:

Cross references:

github.com/drakkan/sftpgo appears in 4 other report(s):
- data/reports/GO-2022-0964.yaml (https://github.com/golang/vulndb/issues/964)
- data/reports/GO-2022-1015.yaml (https://github.com/golang/vulndb/issues/1015)
- data/reports/GO-2024-2940.yaml (https://github.com/golang/vulndb/issues/2940)
- data/reports/GO-2024-3283.yaml (https://github.com/golang/vulndb/issues/3283)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/drakkan/sftpgo
      vulnerable_at: 1.2.2
summary: CVE-2024-52801 in github.com/drakkan/sftpgo
cves:
    - CVE-2024-52801
references:
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-52801
    - fix: https://github.com/drakkan/sftpgo/commit/f30a9a2095bf90c0661b04fe038e3b7efc788bc6
    - web: https://github.com/drakkan/sftpgo/security/advisories/GHSA-6943-qr24-82vx
    - web: https://github.com/rs/xid
source:
    id: CVE-2024-52801
    created: 2024-11-29T20:01:24.313261314Z
review_status: UNREVIEWED

golang / vulndb

x/vulndb: potential Go vuln in github.com/drakkan/sftpgo: CVE-2024-52801 #3300