Detections
Analytics
Fortra GoAnywhere MFT 6.x > 6.0.1 / 7.x < 7.4.1 Authentication Bypass
critical Web App Scanning Plugin ID 114163
Language:
Synopsis
Fortra GoAnywhere MFT 6.x > 6.0.1 / 7.x < 7.4.1 Authentication BypassDescription
Fortra GoAnywhere MFT is a Managed File Transfer (MFT) solution helping organizations build both internal and external data transfer exchanges. GoAnyWhere MFT versions 6.x from 6.0.1 and 7.x before 7.4.1 suffer from an authentication bypass vulnerability. By crafting a specific URL, a remote and unauthenticated attacker can access the wizard setup and create a new administrator account on the target GoAnywhere instance.Solution
Upgrade to version 7.4.1 or later.See Also
https://www.fortra.com/security/advisory/fi-2024-001
https://www.horizon3.ai/cve-2024-0204-fortra-goanywhere-mft-authentication-bypass-deep-dive/
Plugin Details
Severity: Critical
ID: 114163
Type: remote
Family: Component Vulnerability
Published: 1/26/2024
Updated: 1/26/2024
Scan Template: basic, full, pci, scan
Risk Information
VPR
Risk Factor: Critical
Score: 9.5
CVSS v2
Risk Factor: Critical
Base Score: 10
Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS Score Source: CVE-2024-0204
CVSS v3
Risk Factor: Critical
Base Score: 9.8
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS Score Source: CVE-2024-0204
Vulnerability Information
CPE: cpe:2.3:a:fortra:goanywhere_managed_file_transfer:*:*:*:*:*:*:*:*
Exploit Available: true
Exploit Ease: Exploits are available
Reference Information
CVE: CVE-2024-0204
CWE: 425
OWASP: 2010-A4, 2013-A4, 2013-A9, 2017-A5, 2017-A9, 2021-A1, 2021-A6
WASC: Predictable Resource Location
DISA STIG: APSC-DV-002560, APSC-DV-002630
HIPAA: 164.306(a)(1), 164.306(a)(2), 164.312(a)(1), 164.312(a)(2)(i)
ISO: 27001-A.13.1.1, 27001-A.14.1.2, 27001-A.14.1.3, 27001-A.14.2.5, 27001-A.18.1.3, 27001-A.6.2.2, 27001-A.9.1.2, 27001-A.9.4.1, 27001-A.9.4.4, 27001-A.9.4.5
NIST: sp800_53-AC-3, sp800_53-CM-6b
OWASP API: 2019-API7, 2023-API8
OWASP ASVS: 4.0.2-14.2.1