Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-25157

Summary
Assigner-Fortra
Assigner Org ID-df4dee71-de3a-4139-9588-11b62fe6c0ff
Published At-14 Aug, 2024 | 15:04
Updated At-29 Aug, 2024 | 03:55
Rejected At-
Credits

Authentication bypass in GoAnywhere MFT prior to 7.6.0

An authentication bypass vulnerability in GoAnywhere MFT prior to 7.6.0 allows Admin Users with access to the Agent Console to circumvent some permission checks when attempting to visit other pages. This could lead to unauthorized information disclosure or modification.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Fortra
Assigner Org ID:df4dee71-de3a-4139-9588-11b62fe6c0ff
Published At:14 Aug, 2024 | 15:04
Updated At:29 Aug, 2024 | 03:55
Rejected At:
▼CVE Numbering Authority (CNA)
Authentication bypass in GoAnywhere MFT prior to 7.6.0

An authentication bypass vulnerability in GoAnywhere MFT prior to 7.6.0 allows Admin Users with access to the Agent Console to circumvent some permission checks when attempting to visit other pages. This could lead to unauthorized information disclosure or modification.

Affected Products
Vendor
Fortra LLCFortra
Product
GoAnywhere MFT
Default Status
affected
Versions
Affected
  • From 6.0.1 before 7.6.0 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-303CWE-303: Incorrect Implementation of Authentication Algorithm
Type: CWE
CWE ID: CWE-303
Description: CWE-303: Incorrect Implementation of Authentication Algorithm
Metrics
VersionBase scoreBase severityVector
3.16.5MEDIUM
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
Version: 3.1
Base score: 6.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-114CAPEC-114 Authentication Abuse
CAPEC ID: CAPEC-114
Description: CAPEC-114 Authentication Abuse
Solutions

Upgrade to GoAnywhere MFT 7.6.0

Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.fortra.com/security/advisories/product-security/fi-2024-009
N/A
Hyperlink: https://www.fortra.com/security/advisories/product-security/fi-2024-009
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Vendor
Fortra LLCfortra
Product
goanywhere_managed_file_transfer
CPEs
  • cpe:2.3:a:fortra:goanywhere_managed_file_transfer:-:*:*:*:*:*:*:*
Default Status
unknown
Versions
Affected
  • From 6.0.1 before 7.6.0 (semver)
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:df4dee71-de3a-4139-9588-11b62fe6c0ff
Published At:14 Aug, 2024 | 15:15
Updated At:19 Aug, 2024 | 18:57

An authentication bypass vulnerability in GoAnywhere MFT prior to 7.6.0 allows Admin Users with access to the Agent Console to circumvent some permission checks when attempting to visit other pages. This could lead to unauthorized information disclosure or modification.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.16.5MEDIUM
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
Secondary3.16.5MEDIUM
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
Type: Primary
Version: 3.1
Base score: 6.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
Type: Secondary
Version: 3.1
Base score: 6.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
CPE Matches
Fortra LLC
fortra
>>goanywhere_managed_file_transfer>>Versions before 7.6.0(exclusive)
cpe:2.3:a:fortra:goanywhere_managed_file_transfer:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-287Primarynvd@nist.gov
CWE-303Secondarydf4dee71-de3a-4139-9588-11b62fe6c0ff
CWE ID: CWE-287
Type: Primary
Source: nvd@nist.gov
CWE ID: CWE-303
Type: Secondary
Source: df4dee71-de3a-4139-9588-11b62fe6c0ff
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://www.fortra.com/security/advisories/product-security/fi-2024-009df4dee71-de3a-4139-9588-11b62fe6c0ff
Vendor Advisory
Hyperlink: https://www.fortra.com/security/advisories/product-security/fi-2024-009
Source: df4dee71-de3a-4139-9588-11b62fe6c0ff
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

4Records found
CVE-2024-4332
Matching Score-6
Assigner-Fortra, LLC
ShareView Details
Matching Score-6
Assigner-Fortra, LLC
CVSS Score-9.3||CRITICAL
EPSS-0.28% / 51.10%
||
7 Day CHG~0.00%
Published-03 Jun, 2024 | 17:38
Updated-01 Aug, 2024 | 20:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Authentication in Tripwire Enterprise 9.1.0 APIs

An authentication bypass vulnerability has been identified in the REST and SOAP API components of Tripwire Enterprise (TE) 9.1.0 when TE is configured to use LDAP/Active Directory SAML authentication and its optional "Auto-synchronize LDAP Users, Roles, and Groups" feature is enabled. This vulnerability allows unauthenticated attackers to bypass authentication if a valid username is known. Exploitation of this vulnerability could allow remote attackers to gain privileged access to the APIs and lead to unauthorized information disclosure or modification.

Action-Not Available
Vendor-Fortra LLC
Product-Tripwire Enterprisetripwire_enterprise
CWE ID-CWE-303
Incorrect Implementation of Authentication Algorithm
CVE-2024-9999
Matching Score-4
Assigner-Progress Software Corporation
ShareView Details
Matching Score-4
Assigner-Progress Software Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.11% / 29.69%
||
7 Day CHG~0.00%
Published-12 Nov, 2024 | 16:33
Updated-13 Nov, 2024 | 17:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Multi-Factor Authentication Bypass in Progress WS_FTP Server

In WS_FTP Server versions before 8.8.9 (2022.0.9), an Incorrect Implementation of Authentication Algorithm in the Web Transfer Module allows users to skip the second-factor verification and log in with username and password only.

Action-Not Available
Vendor-Progress Software Corporation
Product-WS_FTP Serverws_ftp_server
CWE ID-CWE-303
Incorrect Implementation of Authentication Algorithm
CVE-2024-7745
Matching Score-4
Assigner-Progress Software Corporation
ShareView Details
Matching Score-4
Assigner-Progress Software Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.26% / 49.09%
||
7 Day CHG~0.00%
Published-28 Aug, 2024 | 16:31
Updated-04 Sep, 2024 | 17:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Multi-Factor Authentication Bypass in Progress WS_FTP Server

In WS_FTP Server versions before 8.8.8 (2022.0.8), a Missing Critical Step in Multi-Factor Authentication of the Web Transfer Module allows users to skip the second-factor verification and log in with username and password only.

Action-Not Available
Vendor-Progress Software Corporation
Product-ws_ftp_serverWS_FTP Serverws_ftp_server
CWE ID-CWE-290
Authentication Bypass by Spoofing
CWE ID-CWE-304
Missing Critical Step in Authentication
CWE ID-CWE-287
Improper Authentication
CVE-2022-2533
Matching Score-4
Assigner-GitLab Inc.
ShareView Details
Matching Score-4
Assigner-GitLab Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.03% / 6.73%
||
7 Day CHG~0.00%
Published-17 Oct, 2022 | 00:00
Updated-13 May, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue has been discovered in GitLab affecting all versions starting from 12.10 before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2. GitLab was not performing correct authentication with some Package Registries when IP address restrictions were configured, allowing an attacker already in possession of a valid Deploy Token to misuse it from any location.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-287
Improper Authentication
Details not found