Path Traversal in GoAnywhere MFT 7.4.1 and Earlier

FI-2024-004 - Path Traversal in GoAnywhere MFT 7.4.1 and Earlier

Severity
Medium
Published Date
14-Mar-2024
Updated Date
14-Mar-2024
Vulnerabilities
CVE-2024-25156
 
Notes
Description

A path traversal vulnerability exists in GoAnywhere MFT prior to 7.4.2 which allows attackers to circumvent endpoint-specific permission checks in the GoAnywhere Admin and Web Clients.

Using a crafted URL, an unauthorized user may access pages within GoAnywhere. This may lead to information disclosure. In non-default configurations it may also allow web user self-registration in some circumstances.

To mitigate against unintended user registration, ensure Web User Self-Registration is disabled and there are no self-registration rules configured with ‘allow’ permissions.

For customers who have self-registration enabled, this is not an authentication bypass issue. However, these customers are encouraged to review the registration rules they have configured and limit the scope of their configured rule patterns. Customers are encouraged to configure their rules to require admin approval and deny all other email patterns that do not match an email pattern required by their organization.

 

Vulnerabilities

 
Path traversal in GoAnywhere MFT 7.4.1 and earlier
Severity
Medium
CVE
CVE-2024-25156
CWE
CWE-22:Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Discovery Date
01-Dec-2023
CSSv3.1
6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
Affected Products
Fortra GoAnywhere MFT prior to 7.4.2
Vulnerability Notes
Remediation: Vendor Fix

Upgrade to GoAnywhere MFT 7.4.2 or higher

 
References
 

Acknowledgements

Fortra would like to thank the following individuals:

  • Mohammed Eldeeb & Islam Elrfai , Spark Engineering Consultants
  • vcth4nh , VcsLab of Viettel Cyber Security