Fortra GoAnywhere MFT 6.x > 6.0.1 / 7.x < 7.4.1 Authentication Bypass

critical Web App Scanning Plugin ID 114163

Synopsis

Fortra GoAnywhere MFT 6.x > 6.0.1 / 7.x < 7.4.1 Authentication Bypass

Description

Fortra GoAnywhere MFT is a Managed File Transfer (MFT) solution helping organizations build both internal and external data transfer exchanges. GoAnyWhere MFT versions 6.x from 6.0.1 and 7.x before 7.4.1 suffer from an authentication bypass vulnerability. By crafting a specific URL, a remote and unauthenticated attacker can access the wizard setup and create a new administrator account on the target GoAnywhere instance.

Solution

Upgrade to version 7.4.1 or later.

See Also

https://www.fortra.com/security/advisory/fi-2024-001

https://www.horizon3.ai/cve-2024-0204-fortra-goanywhere-mft-authentication-bypass-deep-dive/

Plugin Details

Severity: Critical

ID: 114163

Type: remote

Published: 1/26/2024

Updated: 1/26/2024

Scan Template: basic, full, pci, scan

Risk Information

VPR

Risk Factor: High

Score: 8.4

CVSS v2

Risk Factor: Critical

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2024-0204

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS Score Source: CVE-2024-0204

Vulnerability Information

CPE: cpe:2.3:a:fortra:goanywhere_managed_file_transfer:*:*:*:*:*:*:*:*

Exploit Available: true

Exploit Ease: Exploits are available

Reference Information

CVE: CVE-2024-0204