CVE-2024-40430: SFTPGo's JWT implmentation lacks certain security measures

July 22, 2024

In SFTPGo 2.6.2, the JWT implementation lacks certain security measures, such as using JWT ID (JTI) claims, nonces, and proper expiration and invalidation mechanisms.

References

alexsecurity.rocks/posts/cve-2024-40430
github.com/advisories/GHSA-x72p-g37q-4xr9
github.com/drakkan/sftpgo
nvd.nist.gov/vuln/detail/CVE-2024-40430

Code Behaviors & Features

Detect and mitigate CVE-2024-40430 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →