CVE-2025-0049 — Information Exposure via Error Message in Goanywhere

CWE-209 — Information Exposure via Error Message CWE-125 — Out-of-bounds Read3 documents3 sources

Severity

4.3MEDIUMNVD

EPSS

0.2%

top 62.61%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fortra Goanywhere Fortra Goanywhere Managed File Transfer Msrc Cbl2 VIM 9.0.1145-1 ON CBL Mariner 2.0 +1 more

Timeline

PublishedApr 28

Description

When a Web User without Create permission on subfolders attempts to upload a file to a non-existent directory, the error message includes the absolute server path which may allow Fuzzing for application mapping. This issue affects GoAnywhere: before 7.8.0.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages4 packages

▶NVDfortra/goanywhere_managed_file_transfer< 7.8.0

▶CVEListV5fortra/goanywhere< 7.8

▶msrcmsrc/cm1_vim_9.0.1189-1_on_cbl_mariner_1.0

▶msrcmsrc/cbl2_vim_9.0.1145-1_on_cbl_mariner_2.0

🔴Vulnerability Details

GHSA

GHSA-w7mr-p347-2rxr: When a Web User without Create permission on subfolders attempts to upload a file to a non-existent directory, the error message includes the absolute↗2025-04-28

▶

📋Vendor Advisories

Microsoft

Out-of-bounds Read in vim/vim↗2023-01-10

▶