GoAnywhere MFT Security Advisory

Path Traversal: CVE-2021-46830

A security vulnerability has been identified within GoAnywhere MFT. This vulnerability could potentially allow an external user who self-registers with a specific username and/or profile information to gain access to files at a higher directory level than intended. There are no known active exploits and the circumstances to permit this unintended access are remote, however, out of an abundance of caution, we are providing this advisory.

Affected Versions: < 6.8.3

This issue was reported to the GoAnywhere Security team by Gert Keldermans of NTT Belgium.

Remediation

Upgrade to GoAnywhere MFT 6.8.3 or higher to fully remediate this vulnerability.

  • This patch version prevents the creation and authentication of any Web Users with invalid or suspicious configurations. Be sure to download the upgrader, not the installer.
  • Review and disable any Web User accounts that contain invalid or suspicious configuration

 

 

Mitigation Options

For those unable to upgrade at this time, the following mitigation options are available:

 

  • Disable Self-Registration for external users. The Self-Registration settings can be found under Users -> Web User Self-Registration.
  • Review and disable any Web User accounts that contain invalid or suspicious configurations.
  • Update any Web User Templates used in Self-Registration to not use dynamic variables in folder paths.
  • Ensure the Minimum User Name Length in the User Name Policy for Web Users under the Web User Settings (Users -> Web User Settings -> User Name Policy) is configured to require 3 or more characters.
  • Ensure the Prohibited Special Characters on the User Name Policy for Web Users prohibits path traversing characters such as / and \.
  • Review and disable any Web User accounts that contain invalid or suspicious configurations.

 

For guidance on best practices when configuring your GoAnywhere MFT deployment, download the GoAnywhere MFT Hardening Guide from our Customer Portal .
Support is available for questions on this advisory.