Fortra (formerly, HelpSystems) GoAnywhere MFT suffers from a pre-authentication command injection vulnerability in the License Response Servlet due to deserializing an arbitrary attacker-controlled object. This issue was patched in version 7.1.2.

Fortra GoAnywhere MFT is a Managed File Transfer (MFT) solution helping organizations build both internal and external data transfer exchanges. GoAnyWhere MFT versions before 7.1.2 suffer from a deserialization vulnerability in the LicenseResponse servlet. By crafting a specific serialized object, a remote unauthenticated attacker could achieve a remote code execution on the vulnerable system.

According to its self-reported version, the instance of Fortra GoAnywhere Managed File Transfer (MFT) running on the remote web server is < 7.1.2. It is, therefore, affected by a pre-authentication command injection vulnerability in the License Response Servlet due to deserializing an arbitrary attacker-controlled object. This can allow an unauthenticated attacker with access to the administration port to run arbitrary commands on the remote server.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
113896	Fortra GoAnywhere MFT < 7.1.2 Remote Code Execution	Web App Scanning	Component Vulnerability	high
171771	Fortra GoAnywhere Managed File Transfer (MFT) < 7.1.2 Pre-Authentication Command Injection (CVE-2023-0669)	Nessus	CGI abuses	high

Detections

Analytics

CVE-2023-0669

high

Tenable Plugins

high

high