Advisory FI-2024-001

FI-2024-001 - Authentication Bypass in GoAnywhere MFT

Text
Severity Critical
Published Date 22-Jan-2024
Updated Date 22-Jan-2024
Vulnerabilities CVE-2024-0204

Notes

Description

 
Authentication bypass in Fortra's GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via the administration portal.

 

Vulnerabilities

 

Authentication Bypass in GoAnywhere MFT
Severity Critical
CVE CVE-2024-0204
CWE CWE-425 Direct Request ('Forced Browsing')
Discovery Date 01-Dec-2023
CVSSv3.1 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Affected Product Fortra GoAnywhere MFT 6.x from 6.0.1
Fortra GoAnywhere MFT 7.x before 7.4.1

Vulnerability Notes

Remediation: Vendor Fix

 
Upgrade to version 7.4.1 or higher. The vulnerability may also be eliminated in non-container deployments by deleting the InitialAccountSetup.xhtml file in the install directory and restarting the services. For container-deployed instances, replace the file with an empty file and restart. For additional information, see https://my.goanywhere.com/webclient/ViewSecurityAdvisories.xhtml (registration required).


References


Acknowledgements

Fortra would like to thank the following individuals:

  • Mohammed Eldeeb & Islam Elrfai, Spark Engineering Consultants

Fortra Security and Trust Center