{ "schema_version": "1.4.0", "id": "GHSA-54qx-8p8w-xhg8", "modified": "2022-09-16T21:05:28Z", "published": "2022-09-16T21:05:28Z", "aliases": [ "CVE-2022-36071" ], "summary": "SFTPGo vulnerable to recovery codes abuse", "details": "### Impact\n\nSFTPGo WebAdmin and WebClient support login using TOTP (Time-based One Time Passwords) as a seconday authentication factor. Because TOTPs are often configured on mobile devices that can be lost, stolen or damaged, SFTPGo also supports recovery codes. These are a set of one time use codes that can be used instead of the TOTP.\n\nIn SFTPGo versions from v2.2.0 to v2.3.3 recovery codes can be generated before enabling two-factor authentication.\nAn attacker who knows the user's password could potentially generate some recovery codes and then bypass two-factor authentication after it is enabled on the account at a later time.\n\n### Patches\n\nFixed in v2.3.4.\nRecovery codes can now only be generated after enabling two-factor authentication and are deleted after disabling it.\n\n### Workarounds\n\nRegenerate recovery codes after enabling two-factor authentication.\n\n### References\n\nhttps://github.com/drakkan/sftpgo/issues/965\n", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L" } ], "affected": [ { "package": { "ecosystem": "Go", "name": "github.com/drakkan/sftpgo/v2" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.2.0" }, { "fixed": "2.3.4" } ] } ] } ], "references": [ { "type": "WEB", "url": "https://github.com/drakkan/sftpgo/security/advisories/GHSA-54qx-8p8w-xhg8" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36071" }, { "type": "WEB", "url": "https://github.com/drakkan/sftpgo/issues/965" }, { "type": "PACKAGE", "url": "https://github.com/drakkan/sftpgo" } ], "database_specific": { "cwe_ids": [ "CWE-287", "CWE-916" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2022-09-16T21:05:28Z", "nvd_published_at": "2022-09-02T18:15:00Z" } }