Authentication Bypass in GoAnywhere MFT

FI-2024-001 - Authentication Bypass in GoAnywhere MFT

Severity

Critical

Published Date

22-Jan-2024

Updated Date

22-Jan-2024

Vulnerabilities

CVE-2024-0204

Notes

Description

Authentication bypass in Fortra's GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via the administration portal.

Vulnerabilities

Authentication Bypass in GoAnywhere MFT

Severity

Critical

CVE

CVE-2024-0204

CWE

CWE-425:Direct Request ('Forced Browsing')

Discovery Date

01-Dec-2023

CSSv3.1

9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products

Fortra GoAnywhere MFT 6.x from 6.0.1
Fortra GoAnywhere MFT 7.x before 7.4.1

Vulnerability Notes

Remediation: Vendor Fix

Upgrade to version 7.4.1 or higher. The vulnerability may also be eliminated in non-container deployments by deleting the InitialAccountSetup.xhtml file in the install directory and restarting the services. For container-deployed instances, replace the file with an empty file and restart. For additional information, see https://my.goanywhere.com/webclient/ViewSecurityAdvisories.xhtml (registration required).

References

Customer Advisory (permissions required) (https://my.goanywhere.com/webclient/ViewSecurityAdvisories.xhtml)
Vendor Advisory (https://fortra.com/security/advisory/FI-2024-001)

Acknowledgements

Fortra would like to thank the following individuals:

Mohammed Eldeeb & Islam Elrfai , Spark Engineering Consultants

Authentication Bypass in GoAnywhere MFT

FI-2024-001 - Authentication Bypass in GoAnywhere MFT

Notes

Vulnerabilities

Vulnerability Notes

References

Acknowledgements

Stay Current, Stay Safe

Contact Information

Privacy Policy

Cookie Policy

Impressum