Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Brute force takeover of OpenID Connect session cookies in sftpgo
Vulnerability Description
sftpgo is a full-featured and highly configurable event-driven file transfer solution. Server protocols: SFTP, HTTP/S, FTP/S, WebDAV. The OpenID Connect implementation allows authenticated users to brute force session cookies and thereby gain access to other users' data, since the cookies are generated predictably using the xid library and are therefore unique but not cryptographically secure. This issue was fixed in version v2.6.4, where cookies are opaque and cryptographically secure strings. All users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS Information
N/A
Vulnerability Type
使用已被攻破或存在风险的密码学算法
Vulnerability Title
SFTPGo 加密问题漏洞
Vulnerability Description
SFTPGo是意大利Nicola Murino个人开发者的一个功能齐全且高度可配置的 SFTP 服务器。 SFTPGo 2.3.0版本至2.6.4之前版本存在加密问题漏洞,该漏洞源于允许经过身份验证的用户暴力破解会话cookie,从而获得对其他用户数据的访问权限。
CVSS Information
N/A
Vulnerability Type
N/A