CVE-2024-25157 — Incorrect Implementation of Authentication Algorithm in Goanywhere MFT

CWE-303 — Incorrect Implementation of Authentication Algorithm CWE-287 — Improper Authentication2 documents2 sources

Severity

6.5MEDIUMNVD

EPSS

0.1%

top 68.20%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fortra Goanywhere MFT Fortra Goanywhere Managed File Transfer

Timeline

PublishedAug 14

Description

An authentication bypass vulnerability in GoAnywhere MFT prior to 7.6.0 allows Admin Users with access to the Agent Console to circumvent some permission checks when attempting to visit other pages. This could lead to unauthorized information disclosure or modification.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:NExploitability: 1.2 | Impact: 5.2

Affected Packages2 packages

▶CVEListV5fortra/goanywhere_mft6.0.1 — 7.6.0

▶NVDfortra/goanywhere_managed_file_transfer< 7.6.0

🔴Vulnerability Details

GHSA

GHSA-vcx9-38wq-hx3h: An authentication bypass vulnerability in GoAnywhere MFT prior to 7↗2024-08-14

▶