Опубликовано: 31 июл. 2024
Источник: github
Github: Прошло ревью
CVSS4: 8.7
CVSS3: 5.9
Описание
Filestash configured to skip TLS certificate verification when using the FTPS protocol
filestash v0.4 is configured to skip TLS certificate verification when using the FTPS protocol, possibly allowing attackers to execute a man-in-the-middle attack via the Init function of index.go.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2024-41255
- https://github.com/mickael-kerjean/filestash/issues/710
- https://gist.github.com/nyxfqq/c367f2ca9448810924dcf0f1af30b441
- https://github.com/advisories/GHSA-4jmm-c6jw-g796
- https://github.com/mickael-kerjean/filestash/blob/master/server/plugin/plg_backend_ftp/index.go#L108
- https://pkg.go.dev/vuln/GO-2024-3033
Пакеты
Наименование
github.com/mickael-kerjean/filestash
go
Затронутые версииВерсия исправления
<= 0.4
Отсутствует
EPSS
Процентиль: 12%
0.00041
Низкий
8.7 High
CVSS4
5.9 Medium
CVSS3
CVE ID
Дефекты
CWE-295
CWE-453
Связанные уязвимости
CVSS3: 7.5
nvd
больше 1 года назад
filestash v0.4 is configured to skip TLS certificate verification when using the FTPS protocol, possibly allowing attackers to execute a man-in-the-middle attack via the Init function of index.go.
EPSS
Процентиль: 12%
0.00041
Низкий
8.7 High
CVSS4
5.9 Medium
CVSS3
CVE ID
Дефекты
CWE-295
CWE-453