CVE-2022-36071 : SFTPGo is configurable SFTP server with optional HTTP/S, FTP/S and WebDAV suppor

SFTPGo is configurable SFTP server with optional HTTP/S, FTP/S and WebDAV support. SFTPGo WebAdmin and WebClient support login using TOTP (Time-based One Time Passwords) as a secondary authentication factor. Because TOTPs are often configured on mobile devices that can be lost, stolen or damaged, SFTPGo also supports recovery codes. These are a set of one time use codes that can be used instead of the TOTP. In SFTPGo versions from version 2.2.0 to 2.3.3 recovery codes can be generated before enabling two-factor authentication. An attacker who knows the user's password could potentially generate some recovery codes and then bypass two-factor authentication after it is enabled on the account at a later time. This issue has been fixed in version 2.3.4. Recovery codes can now only be generated after enabling two-factor authentication and are deleted after disabling it.

Published 2022-09-02 18:15:12

Updated 2022-09-09 03:40:35

Source GitHub, Inc.

View at NVD, CVE.org

Vulnerability category: BypassGain privilege

Products affected by CVE-2022-36071

Sftpgo Project » Sftpgo
Versions from including (>=) 2.2.0 and before (<) 2.3.4
cpe:2.3:a:sftpgo_project:sftpgo:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2022-36071

EPSS FAQ

0.02%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 2 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-36071

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
8.1	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N	2.8	5.2	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: None
8.3	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L	2.8	5.5	GitHub, Inc.
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: Low

CWE ids for CVE-2022-36071

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Assigned by: security-advisories@github.com (Secondary)
CWE-916 Use of Password Hash With Insufficient Computational Effort

The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2022-36071

https://github.com/drakkan/sftpgo/issues/965

TOTP Generate Recovery Codes MFA · Issue #965 · drakkan/sftpgo · GitHub
Exploit;Issue Tracking;Patch;Third Party Advisory
https://github.com/drakkan/sftpgo/security/advisories/GHSA-54qx-8p8w-xhg8

Recovery codes abuse · Advisory · drakkan/sftpgo · GitHub
Mitigation;Third Party Advisory

Jump to

Vulnerability Details : CVE-2022-36071

Products affected by CVE-2022-36071

Exploit prediction scoring system (EPSS) score for CVE-2022-36071

CVSS scores for CVE-2022-36071

CWE ids for CVE-2022-36071

References for CVE-2022-36071