mirror of
https://github.com/0xMarcio/cve.git
synced 2025-06-19 17:30:12 +00:00
982 B
982 B
CVE-2024-40430
Description
** DISPUTED ** In SFTPGO 2.6.2, the JWT implementation lacks certain security measures, such as using JWT ID (JTI) claims, nonces, and proper expiration and invalidation mechanisms. NOTE: The vendor argues that the prerequisite for this exploit is to be able to steal another user's cookie. Additionally, it is argued that SFTPGo validates cookies being used by the IP address it was issued to, so stolen cookies from different IP addresses will not work.
POC
Reference
- https://alexsecurity.rocks/posts/cve-2024-40430/
- https://github.com/github/advisory-database/pull/4645
Github
No PoCs found on GitHub currently.