CVE-2024-52801: sftpgo vulnerable to brute force takeover of OpenID Connect session cookies

December 2, 2024

The OpenID Connect implementation, in the affected SFTPGo versions, allows authenticated users to brute force session cookies and thereby gain access to other users’ data, since the cookies are generated predictably using the xid library and are therefore unique but not cryptographically secure.

References

github.com/advisories/GHSA-6943-qr24-82vx
github.com/drakkan/sftpgo
github.com/drakkan/sftpgo/commit/f30a9a2095bf90c0661b04fe038e3b7efc788bc6
github.com/drakkan/sftpgo/security/advisories/GHSA-6943-qr24-82vx
github.com/rs/xid
nvd.nist.gov/vuln/detail/CVE-2024-52801

Code Behaviors & Features

Detect and mitigate CVE-2024-52801 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →