Опубликовано: 22 июл. 2024
Источник: github
Github: Прошло ревью
CVSS4: 7.1
CVSS3: 6.5
Описание
Withdrawn: SFTPGo's JWT implmentation lacks certain security measures
Withdrawn: The attack vector described in the backing report required that an attacker gain access to a user's session cookie. By gaining access to the session cookie the attacker is for all intents and purposes the valid user and any access to user data would be expected.
In SFTPGo 2.6.2, the JWT implementation lacks certain security measures, such as using JWT ID (JTI) claims, nonces, and proper expiration and invalidation mechanisms.
Пакеты
Наименование
github.com/drakkan/sftpgo/v2
go
Затронутые версииВерсия исправления
<= 2.6.2
Отсутствует
Связанные уязвимости
nvd
больше 1 года назад
Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.