Disclosure of sensitive information in an error message in GoAnywhere prior to version 7.8.0

FI-2025-004 - Disclosure of sensitive information in an error message in GoAnywhere prior to version 7.8.0

Severity
Low
Published Date
28-Apr-2025
Updated Date
28-Apr-2025
Vulnerabilities
CVE-2025-0049
 
Notes
Description

When a Web User without Create permission on subfolders attempts to upload a file to a non-existent directory, the error message includes the absolute server path which may allow Fuzzing for application mapping.
 

This issue affects GoAnywhere: before 7.8.0.

 

Vulnerabilities

 
Disclosure of sensitive information in an error message in GoAnywhere prior to version 7.8.0
Severity
Low
CVE
CVE-2025-0049
CWE
CWE-209:Generation of Error Message Containing Sensitive Information
Discovery Date
02-Aug-2023
CSSv3.1
3.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N)
Affected Products
GoAnywhere Prior to 7.8.0
Vulnerability Notes
Remediation: Mitigation

This issue occurs when the Web User does not have Create permission on Subfolders. It is a bug that happens when a user tries to upload a file to a directory that doesn’t exist yet (If they have permissions to create sub directories, then the non-existent directory would be created automatically).

Note: This workaround requires supplying an additional permission that the Web User does not have in vulnerable configurations. 

 
Remediation: Vendor Fix

Upgrade to GoAnywhere 7.8.0 or later.

 
References
  • ()
 

References