Path Traversal: CVE-2021-46830
Text
A security vulnerability has been identified within GoAnywhere MFT. This vulnerability could potentially allow an external user who self-registers with a specific username and/or profile information to gain access to files at a higher directory level than intended. There are no known active exploits and the circumstances to permit this unintended access are remote, however, out of an abundance of caution, we are providing this advisory.
Affected Versions: < 6.8.3
This issue was reported to the GoAnywhere Security team by Gert Keldermans of NTT Belgium.
Remediation
Text
Upgrade to GoAnywhere MFT 6.8.3 or higher to fully remediate this vulnerability.
- This patch version prevents the creation and authentication of any Web Users with invalid or suspicious configurations. Be sure to download the upgrader, not the installer.
- Review and disable any Web User accounts that contain invalid or suspicious configuration
Mitigation Options
For those unable to upgrade at this time, the following mitigation options are available:
Text