Metrics
Affected Vendors & Products
No data.
No data.
No data.
No data.
No reference.
Fri, 13 Sep 2024 21:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Weaknesses | CWE-639 | |
| CPEs | ||
| Vendors & Products |
Sftpgo Project
Sftpgo Project sftpgo |
|
| References |
|
|
| Metrics |
cvssV3_1
|
Fri, 13 Sep 2024 21:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
cvssV3_1
|
Fri, 13 Sep 2024 20:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | In SFTPGO 2.6.2, the JWT implementation lacks certain security measures, such as using JWT ID (JTI) claims, nonces, and proper expiration and invalidation mechanisms. NOTE: The vendor argues that the prerequisite for this exploit is to be able to steal another user's cookie. Additionally, it is argued that SFTPGo validates cookies being used by the IP address it was issued to, so stolen cookies from different IP addresses will not work. | DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. |
MITRE
Status: REJECTED
Assigner: mitre
Published:
Updated: 2024-09-13T20:25:30.956707
Reserved: 2024-07-05T00:00:00
Link: CVE-2024-40430
Vulnrichment
Updated:
NVD
Status : Rejected
Published: 2024-07-22T07:15:02.207
Modified: 2024-09-13T21:15:10.357
Link: CVE-2024-40430
Redhat
No data.
OpenCVE Enrichment
No data.