This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: goshs < 2.0.0-beta.6 has an **Access Control Error**. π **Consequences**: Attackers can bypass authentication entirely. No password needed to access the SFTP service! π
Q2Root Cause? (CWE/Flaw)
π‘οΈ **Root Cause**: **CWE-306** (Missing Authentication for Critical Function). π **Flaw**: The server fails to enforce password checks when using the documented 'empty username' Basic Auth syntax. π«
Q3Who is affected? (Versions/Components)
π₯ **Affected**: **goshs** by Patrick Hener. π¦ **Version**: All versions **before 2.0.0-beta.6**. β **Fixed**: 2.0.0-beta.6 and later.
Q4What can hackers do? (Privileges/Data)
π΅οΈ **Hackers Can**: Gain **Full Access** without credentials. π **Privileges**: Unauthenticated network access. π **Data**: High risk of Confidentiality, Integrity, and Availability loss (CVSS H/H/H).
Q5Is exploitation threshold high? (Auth/Config)
β‘ **Threshold**: **LOW**. π **Auth**: None required! π **Config**: Exploits the specific 'empty username' syntax. If configured this way, it's an open door. πͺ
Q6Is there a public Exp? (PoC/Wild Exploitation)
π£ **Public Exp?**: **No PoC** listed in data. π’ **Status**: Advisory published (GHSA-c29w-qq4m-2gcv). β οΈ **Risk**: Logic flaw is simple, likely easy to script manually.
Q7How to self-check? (Features/Scanning)
π **Self-Check**: Scan for goshs SFTP services. π§ͺ **Test**: Try connecting with an **empty username** and any password (or no password). π‘ **Indicator**: If it accepts, you are vulnerable!
Q8Is it fixed officially? (Patch/Mitigation)
π§ **Official Fix**: **YES**. π₯ **Action**: Upgrade to **goshs 2.0.0-beta.6** or newer. π **Source**: GitHub Security Advisory (GHSA-c29w-qq4m-2gcv).
Q9What if no patch? (Workaround)
π§ **No Patch?**: **Workaround**: Disable SFTP if not needed. π **Config**: Avoid using the 'empty username' Basic Auth syntax. 𧱠**Block**: Restrict network access to the SFTP port.
Q10Is it urgent? (Priority Suggestion)
π₯ **Urgency**: **HIGH**. π¨ **Priority**: Critical. CVSS is **High** (9.8+ implied by H/H/H). π **Action**: Patch immediately or isolate the service. Do not ignore!