goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.6, goshs contains an SFTP authentication bypass when the documented empty-username basic-auth syntax is used. If the server is started with -b ':pass' together with -sftp, goshs accepts that configuration but does not install any SFTP password handler. As a result, an unauthenticated network attacker can connect to the SFTP service and access files without a password. This vulnerability is fixed in 2.0.0-beta.6.
The problem occurs when the server is launched with the -b ':pass' parameter (basic-auth syntax with empty username) simultaneously with the -sftp flag. Goshs accepts such configuration, but does not install any password verification mechanism for the SFTP protocol. As a result, any attacker can establish a connection to the SFTP service and browse or download files without needing to provide any credentials.
An attacker can gain unauthorized access to files shared by the server, leading to violations of data confidentiality, integrity, and availability.
Update goshs to version 2.0.0-beta.6 or newer, where the vulnerability has been fixed. As a temporary workaround, avoid simultaneously using the -b ':pass' and -sftp options or restrict network access to the SFTP service using a firewall.
goshs in versions prior to 2.0.0-beta.6 when the server is launched with the -b ':pass' and -sftp parameters
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HGoshs
APPGoshs2.0.0< 2.0.0
Related vulnerabilities
Goshs: wyciek tokenu GITHUB_TOKEN przez artefakty workflow (ArtiPACKED)
Authorization bypass w goshs — ominięcie ACL bez uwierzytelnienia
Path traversal w Goshs — brak sanityzacji katalogu przy uploadzie plików
Path traversal w goshs — brak sanityzacji ścieżki przy PUT upload
Path traversal w Goshs — brak return po walidacji ścieżki w deleteFile()