NIXPKGS-2026-1219

GitHub issue published 2 months ago

Permalink CVE-2026-40884

9.8 CRITICAL

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): High (H)
Integrity (I): High (H)
Availability (A): High (H)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): High (H)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): High (H)
Modified Availability (MA): High (H)

updated 2 months ago by @LeSuisse Activity log

Created suggestion 2 months ago
@LeSuisse accepted 2 months ago
@LeSuisse published on GitHub 2 months ago

goshs: Empty-username SFTP password authentication bypass in goshs

goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.6, goshs contains an SFTP authentication bypass when the documented empty-username basic-auth syntax is used. If the server is started with -b ':pass' together with -sftp, goshs accepts that configuration but does not install any SFTP password handler. As a result, an unauthenticated network attacker can connect to the SFTP service and access files without a password. This vulnerability is fixed in 2.0.0-beta.6.

References

https://github.com/patrickhener/goshs/security/advisories/GHSA-c29w-qq4m-2gcv x_refsource_CONFIRM

Affected products

goshs

==< 2.0.0-beta.6

Matching in nixpkgs

pkgs.goshs

Simple, yet feature-rich web server written in Go

nixos-unstable 2.0.1
- nixpkgs-unstable 2.0.1
- nixos-unstable-small 2.0.1

Package maintainers

@matthiasbeyer Matthias Beyer <mail@beyermatthias.de>
@SEIAROTg SEIAROTg
@fabaff Fabian Affolter <mail@fabian-affolter.ch>

Nixpkgs security tracker

Details of issue NIXPKGS-2026-1219

References

Affected products

Matching in nixpkgs

pkgs.goshs

Package maintainers