Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-0204

Summary
Assigner-Fortra
Assigner Org ID-df4dee71-de3a-4139-9588-11b62fe6c0ff
Published At-22 Jan, 2024 | 18:05
Updated At-30 May, 2025 | 14:22
Rejected At-
Credits

Authentication Bypass in GoAnywhere MFT

Authentication bypass in Fortra's GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via the administration portal.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Fortra
Assigner Org ID:df4dee71-de3a-4139-9588-11b62fe6c0ff
Published At:22 Jan, 2024 | 18:05
Updated At:30 May, 2025 | 14:22
Rejected At:
▼CVE Numbering Authority (CNA)
Authentication Bypass in GoAnywhere MFT

Authentication bypass in Fortra's GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via the administration portal.

Affected Products
Vendor
Fortra LLCFortra
Product
GoAnywhere MFT
Default Status
affected
Versions
Affected
  • From 6.0.1 before 7.4.1 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-425CWE-425 Direct Request ('Forced Browsing')
Type: CWE
CWE ID: CWE-425
Description: CWE-425 Direct Request ('Forced Browsing')
Metrics
VersionBase scoreBase severityVector
3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-1CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs
CAPEC ID: CAPEC-1
Description: CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs
Solutions

Upgrade to version 7.4.1 or higher. The vulnerability may also be eliminated in non-container deployments by deleting the InitialAccountSetup.xhtml file in the install directory and restarting the services. For container-deployed instances, replace the file with an empty file and restart. For additional information, see  https://my.goanywhere.com/webclient/ViewSecurityAdvisories.xhtml https://my.goanywhere.com/webclient/ViewSecurityAdvisories.xhtml  (registration required). https://my.goanywhere.com/webclient/ViewSecurityAdvisories.xhtml

Configurations
Workarounds

Users are encouraged to apply defense-in-depth tactics to limit access to the administrative console. Do not expose the console to the internet and apply web application controls such as a WAF, monitoring, and access controls.

Exploits
Credits
finder
Mohammed Eldeeb & Islam Elrfai, Spark Engineering Consultants
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.fortra.com/security/advisory/fi-2024-001
vendor-advisory
https://my.goanywhere.com/webclient/ViewSecurityAdvisories.xhtml
permissions-required
http://packetstormsecurity.com/files/176683/GoAnywhere-MFT-Authentication-Bypass.html
N/A
http://packetstormsecurity.com/files/176974/Fortra-GoAnywhere-MFT-Unauthenticated-Remote-Code-Execution.html
N/A
Hyperlink: https://www.fortra.com/security/advisory/fi-2024-001
Resource:
vendor-advisory
Hyperlink: https://my.goanywhere.com/webclient/ViewSecurityAdvisories.xhtml
Resource:
permissions-required
Hyperlink: http://packetstormsecurity.com/files/176683/GoAnywhere-MFT-Authentication-Bypass.html
Resource: N/A
Hyperlink: http://packetstormsecurity.com/files/176974/Fortra-GoAnywhere-MFT-Unauthenticated-Remote-Code-Execution.html
Resource: N/A
▼Authorized Data Publishers (ADP)
1. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.fortra.com/security/advisory/fi-2024-001
vendor-advisory
x_transferred
https://my.goanywhere.com/webclient/ViewSecurityAdvisories.xhtml
permissions-required
x_transferred
http://packetstormsecurity.com/files/176683/GoAnywhere-MFT-Authentication-Bypass.html
x_transferred
http://packetstormsecurity.com/files/176974/Fortra-GoAnywhere-MFT-Unauthenticated-Remote-Code-Execution.html
x_transferred
Hyperlink: https://www.fortra.com/security/advisory/fi-2024-001
Resource:
vendor-advisory
x_transferred
Hyperlink: https://my.goanywhere.com/webclient/ViewSecurityAdvisories.xhtml
Resource:
permissions-required
x_transferred
Hyperlink: http://packetstormsecurity.com/files/176683/GoAnywhere-MFT-Authentication-Bypass.html
Resource:
x_transferred
Hyperlink: http://packetstormsecurity.com/files/176974/Fortra-GoAnywhere-MFT-Unauthenticated-Remote-Code-Execution.html
Resource:
x_transferred
2. CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:df4dee71-de3a-4139-9588-11b62fe6c0ff
Published At:22 Jan, 2024 | 18:15
Updated At:02 Feb, 2024 | 17:15

Authentication bypass in Fortra's GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via the administration portal.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Secondary3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Type: Primary
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Type: Secondary
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CPE Matches
Fortra LLC
fortra
>>goanywhere_managed_file_transfer>>Versions from 7.0.0(inclusive) to 7.4.1(exclusive)
cpe:2.3:a:fortra:goanywhere_managed_file_transfer:*:*:*:*:*:*:*:*
Fortra LLC
fortra
>>goanywhere_managed_file_transfer>>6.0.0
cpe:2.3:a:fortra:goanywhere_managed_file_transfer:6.0.0:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-425Primarynvd@nist.gov
CWE-425Secondarydf4dee71-de3a-4139-9588-11b62fe6c0ff
CWE ID: CWE-425
Type: Primary
Source: nvd@nist.gov
CWE ID: CWE-425
Type: Secondary
Source: df4dee71-de3a-4139-9588-11b62fe6c0ff
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
http://packetstormsecurity.com/files/176683/GoAnywhere-MFT-Authentication-Bypass.htmldf4dee71-de3a-4139-9588-11b62fe6c0ff
Third Party Advisory
VDB Entry
http://packetstormsecurity.com/files/176974/Fortra-GoAnywhere-MFT-Unauthenticated-Remote-Code-Execution.htmldf4dee71-de3a-4139-9588-11b62fe6c0ff
N/A
https://my.goanywhere.com/webclient/ViewSecurityAdvisories.xhtmldf4dee71-de3a-4139-9588-11b62fe6c0ff
Permissions Required
https://www.fortra.com/security/advisory/fi-2024-001df4dee71-de3a-4139-9588-11b62fe6c0ff
Vendor Advisory
Hyperlink: http://packetstormsecurity.com/files/176683/GoAnywhere-MFT-Authentication-Bypass.html
Source: df4dee71-de3a-4139-9588-11b62fe6c0ff
Resource:
Third Party Advisory
VDB Entry
Hyperlink: http://packetstormsecurity.com/files/176974/Fortra-GoAnywhere-MFT-Unauthenticated-Remote-Code-Execution.html
Source: df4dee71-de3a-4139-9588-11b62fe6c0ff
Resource: N/A
Hyperlink: https://my.goanywhere.com/webclient/ViewSecurityAdvisories.xhtml
Source: df4dee71-de3a-4139-9588-11b62fe6c0ff
Resource:
Permissions Required
Hyperlink: https://www.fortra.com/security/advisory/fi-2024-001
Source: df4dee71-de3a-4139-9588-11b62fe6c0ff
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

0Records found
Details not found