CVE-2022-36071 – github.com/drakkan/sftpgo/v2

Package

Manager: go
Name: github.com/drakkan/sftpgo/v2
Vulnerable Version: >=2.2.0 <2.3.4

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.0002 pctl0.03386

Details

SFTPGo vulnerable to recovery codes abuse ### Impact SFTPGo WebAdmin and WebClient support login using TOTP (Time-based One Time Passwords) as a seconday authentication factor. Because TOTPs are often configured on mobile devices that can be lost, stolen or damaged, SFTPGo also supports recovery codes. These are a set of one time use codes that can be used instead of the TOTP. In SFTPGo versions from v2.2.0 to v2.3.3 recovery codes can be generated before enabling two-factor authentication. An attacker who knows the user's password could potentially generate some recovery codes and then bypass two-factor authentication after it is enabled on the account at a later time. ### Patches Fixed in v2.3.4. Recovery codes can now only be generated after enabling two-factor authentication and are deleted after disabling it. ### Workarounds Regenerate recovery codes after enabling two-factor authentication. ### References https://github.com/drakkan/sftpgo/issues/965

Metadata

Created: 2022-09-16T21:05:28Z
Modified: 2022-09-16T21:05:28Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-54qx-8p8w-xhg8/GHSA-54qx-8p8w-xhg8.json
CWE IDs: ["CWE-287", "CWE-916"]
Alternative ID: GHSA-54qx-8p8w-xhg8
Finding: F052
Auto approve: 1