Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/mickael-kerjean/filestash: GHSA-4jmm-c6jw-g796 #3033

Closed
GoVulnBot opened this issue Aug 2, 2024 · 2 comments
Closed

x/vulndb: potential Go vuln in github.com/mickael-kerjean/filestash: GHSA-4jmm-c6jw-g796 #3033

GoVulnBot opened this issue Aug 2, 2024 · 2 comments
Labels
triaged

Comments

@GoVulnBot
Copy link

Advisory GHSA-4jmm-c6jw-g796 references a vulnerability in the following Go modules:

Module
github.com/mickael-kerjean/filestash

Description:
filestash v0.4 is configured to skip TLS certificate verification when using the FTPS protocol, possibly allowing attackers to execute a man-in-the-middle attack via the Init function of index.go.

References:

No existing reports found with this module or alias.
See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/mickael-kerjean/filestash
      vulnerable_at: 0.2.1
summary: |-
    Filestash configured to skip TLS certificate verification when using the FTPS
    protocol in github.com/mickael-kerjean/filestash
cves:
    - CVE-2024-41255
ghsas:
    - GHSA-4jmm-c6jw-g796
references:
    - advisory: https://github.com/advisories/GHSA-4jmm-c6jw-g796
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-41255
    - report: https://github.com/mickael-kerjean/filestash/issues/710
    - web: https://gist.github.com/nyxfqq/c367f2ca9448810924dcf0f1af30b441
    - web: https://github.com/mickael-kerjean/filestash/blob/master/server/plugin/plg_backend_ftp/index.go#L108
source:
    id: GHSA-4jmm-c6jw-g796
    created: 2024-08-02T17:01:12.196780135Z
review_status: UNREVIEWED
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/603235 mentions this issue: data/reports: add 29 unreviewed reports

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/606360 mentions this issue: data/reports: regenerate 8 reports

gopherbot pushed a commit that referenced this issue Aug 19, 2024
@tatianab @gopherbot
data/reports: regenerate 8 reports
9fd9786 
  - data/reports/GO-2024-2993.yaml
  - data/reports/GO-2024-2997.yaml
  - data/reports/GO-2024-3033.yaml
  - data/reports/GO-2024-3039.yaml
  - data/reports/GO-2024-2921.yaml
  - data/reports/GO-2024-2982.yaml
  - data/reports/GO-2024-3066.yaml
  - data/reports/GO-2024-3070.yaml

Updates #2993
Updates #2997
Updates #3033
Updates #3039
Updates #2921
Updates #2982
Updates #3066
Updates #3070

Change-Id: I5a682ceba4983a42b0d7783535488c5ecf049f25
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/606360
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tatianab @gopherbot @GoVulnBot