<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>SimpleHTTPServer - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/simplehttpserver/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 24 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/simplehttpserver/feed.xml" rel="self" type="application/rss+xml"/><item><title>goshs SimpleHTTPServer SFTP Authentication Bypass Vulnerability (CVE-2026-40884)</title><link>https://feed.craftedsignal.io/briefs/2024-01-24-goshs-auth-bypass/</link><pubDate>Wed, 24 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-24-goshs-auth-bypass/</guid><description>goshs SimpleHTTPServer prior to version 2.0.0-beta.6 contains an SFTP authentication bypass vulnerability that allows unauthenticated network attackers to access files when the server is started with specific configuration parameters.</description><content:encoded><![CDATA[<p>The goshs SimpleHTTPServer, a utility written in Go, is susceptible to an SFTP authentication bypass vulnerability (CVE-2026-40884) in versions prior to 2.0.0-beta.6. This flaw arises when the server is launched using the <code>-b ':pass'</code> argument in conjunction with the <code>-sftp</code> flag. This specific configuration prevents the application from properly initializing an SFTP password handler. Consequently, a remote, unauthenticated attacker can establish a connection to the SFTP service and gain unauthorized access to files stored on the server. This vulnerability poses a significant risk to data confidentiality and integrity. Organizations using affected versions of goshs should upgrade to version 2.0.0-beta.6 or later immediately.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker identifies a vulnerable goshs server running a version prior to 2.0.0-beta.6 with SFTP enabled using <code>-sftp</code> and the vulnerable authentication configuration <code>-b ':pass'</code>.</li>
<li>Attacker establishes a network connection to the server's SFTP port (typically port 22, or a custom-configured port).</li>
<li>The attacker initiates an SFTP connection without providing any username or password, exploiting the missing password handler.</li>
<li>The vulnerable goshs server accepts the connection without authentication due to the configuration error.</li>
<li>The attacker is granted access to the file system served by the goshs server via SFTP.</li>
<li>The attacker navigates the file system, identifies sensitive files, and downloads them.</li>
<li>Attacker exfiltrates the stolen data from the network.</li>
<li>The attacker may use the compromised server as a pivot point for further attacks within the network.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-40884 allows an unauthenticated attacker to access sensitive files stored on the vulnerable goshs server. The impact can range from information disclosure to complete compromise of the server and potential lateral movement within the network. Given the CVSS v3.1 base score of 9.8, this vulnerability represents a critical risk. The number of affected systems depends on the adoption rate of goshs and the specific configurations used.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade goshs to version 2.0.0-beta.6 or later to patch CVE-2026-40884.</li>
<li>Review goshs server configurations and remove the vulnerable <code>-b ':pass'</code> configuration.</li>
<li>Monitor network connections to SFTP ports (default 22) for suspicious activity originating from unknown sources. Use the &quot;Detect Suspicious SFTP Connection&quot; Sigma rule provided below.</li>
<li>Implement network segmentation to limit the blast radius of a potential compromise.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>authentication-bypass</category><category>sftp</category><category>vulnerability</category><category>network</category></item></channel></rss>