CVE-2024-0204
9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Authentication bypass in Fortra's GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via the administration portal.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Fortra | GoAnywhere MFT | 6.0.1 < 7.4.1 | affected |
Weaknesses
- CWE-425: CWE-425 Direct Request ('Forced Browsing')
Workarounds
Users are encouraged to apply defense-in-depth tactics to limit access to the administrative console. Do not expose the console to the internet and apply web application controls such as a WAF, monitoring, and access controls.
ADP Enrichment
CVE Program Container
Additional References
- https://www.fortra.com/security/advisory/fi-2024-001
- https://my.goanywhere.com/webclient/ViewSecurityAdvisories.xhtml
- http://packetstormsecurity.com/files/176683/GoAnywhere-MFT-Authentication-Bypass.html
- http://packetstormsecurity.com/files/176974/Fortra-GoAnywhere-MFT-Unauthenticated-Remote-Code-Execution.html
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: total
References
- https://www.fortra.com/security/advisory/fi-2024-001
- https://my.goanywhere.com/webclient/ViewSecurityAdvisories.xhtml
- http://packetstormsecurity.com/files/176683/GoAnywhere-MFT-Authentication-Bypass.html
- http://packetstormsecurity.com/files/176974/Fortra-GoAnywhere-MFT-Unauthenticated-Remote-Code-Execution.html
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.