CVE-2024-40430
- Reference to the description:
- Description:
- In SFTPGO 2.6.2, the JWT implementation lacks certain security measures, such as using JWT ID (JTI) claims, nonces, and proper expiration and invalidation mechanisms. NOTE: The vendor argues that the prerequisite for this exploit is to be able to steal another user's cookie. Additionally, it is argued that SFTPGo validates cookies being used by the IP address it was issued to, so stolen cookies from different IP addresses will not work.
- Last updated date:
- 08/02/2024
- Type:
- exploit
- Confidence:
- HIGH
- Date of publishing:
- 07/25/2024
- Reference url to background