You are viewing this page in an unauthorized frame window.
This is a potential security issue, you are being redirected to
https://nvd.nist.gov
An official website of the United States government
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock () or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.
CVE has been marked "REJECT" in the CVE List. These CVEs are stored in the NVD, but do not show up in search results.
Current Description
Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
In SFTPGO 2.6.2, the JWT implementation lacks cerrtain security measures, such as using JWT ID (JTI) claims, nonces, and proper expiration and invalidation mechanisms.
Metrics
NVD enrichment efforts reference publicly available information to associate
vector strings. CVSS information contributed by other sources is also
displayed.
By selecting these links, you will be leaving NIST webspace.
We have provided these links to other web sites because they
may have information that would be of interest to you. No
inferences should be drawn on account of other sites being
referenced, or not, from this page. There may be other web
sites that are more appropriate for your purpose. NIST does
not necessarily endorse the views expressed, or concur with
the facts presented on these sites. Further, NIST does not
endorse any commercial products that may be mentioned on
these sites. Please address comments about this page to nvd@nist.gov.
Title: SFTPGO 2.6.2
Description: En SFTPGO 2.6.2, la implementación de JWT carece de ciertas medidas de seguridad, como el uso de reclamos de JWT ID (JTI), nonces y mecanismos adecuados de caducidad e invalidación.
CVE Modified by MITRE9/13/2024 5:15:10 PM
Action
Type
Old Value
New Value
Removed
Tag
MITRE disputed
Changed
Description
In SFTPGO 2.6.2, the JWT implementation lacks certain security measures, such as using JWT ID (JTI) claims, nonces, and proper expiration and invalidation mechanisms. NOTE: The vendor argues that the prerequisite for this exploit is to be able to steal another user's cookie. Additionally, it is argued that SFTPGo validates cookies being used by the IP address it was issued to, so stolen cookies from different IP addresses will not work.
Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
Removed
CVSS V3.1
CISA-ADP AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Removed
CVSS V3.1
NIST AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Removed
CWE
CISA-ADP CWE-639
Removed
CWE
NIST CWE-639
Removed
CPE Configuration
OR
*cpe:2.3:a:sftpgo_project:sftpgo:2.6.2:*:*:*:*:*:*:*
In SFTPGO 2.6.2, the JWT implementation lacks cerrtain security measures, such as using JWT ID (JTI) claims, nonces, and proper expiration and invalidation mechanisms.
In SFTPGO 2.6.2, the JWT implementation lacks certain security measures, such as using JWT ID (JTI) claims, nonces, and proper expiration and invalidation mechanisms. NOTE: The vendor argues that the prerequisite for this exploit is to be able to steal another user's cookie. Additionally, it is argued that SFTPGo validates cookies being used by the IP address it was issued to, so stolen cookies from different IP addresses will not work.
OR
*cpe:2.3:a:sftpgo_project:sftpgo:2.6.2:*:*:*:*:*:*:*
Changed
Reference Type
https://alexsecurity.rocks/posts/cve-2024-40430/ No Types Assigned
https://alexsecurity.rocks/posts/cve-2024-40430/ Exploit, Third Party Advisory
New CVE Received from MITRE7/22/2024 3:15:02 AM
Action
Type
Old Value
New Value
Added
Description
In SFTPGO 2.6.2, the JWT implementation lacks cerrtain security measures, such as using JWT ID (JTI) claims, nonces, and proper expiration and invalidation mechanisms.