Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/vulndb: potential Go vuln in github.com/charmbracelet/soft-serve: CVE-2023-43809 #2099

Closed
GoVulnBot opened this issue Oct 4, 2023 · 1 comment
Assignees

Comments

@GoVulnBot
Copy link

CVE-2023-43809 references github.com/charmbracelet/soft-serve, which may be a Go module.

Description:
Soft Serve is a self-hostable Git server for the command line. Prior to version 0.6.2, a security vulnerability in Soft Serve could allow an unauthenticated, remote attacker to bypass public key authentication when keyboard-interactive SSH authentication is active, through the allow-keyless setting, and the public key requires additional client-side verification for example using FIDO2 or GPG. This is due to insufficient validation procedures of the public key step during SSH request handshake, granting unauthorized access if the keyboard-interaction mode is utilized. An attacker could exploit this vulnerability by presenting manipulated SSH requests using keyboard-interactive authentication mode. This could potentially result in unauthorized access to the Soft Serve. Users should upgrade to the latest Soft Serve version v0.6.2 to receive the patch for this issue. To workaround this vulnerability without upgrading, users can temporarily disable Keyboard-Interactive SSH Authentication using the allow-keyless setting.

References:

Cross references:
No existing reports found with this module or alias.

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/charmbracelet/soft-serve
      vulnerable_at: 0.6.2
      packages:
        - package: soft-serve
description: |-
    Soft Serve is a self-hostable Git server for the command line. Prior to version
    0.6.2, a security vulnerability in Soft Serve could allow an unauthenticated,
    remote attacker to bypass public key authentication when keyboard-interactive
    SSH authentication is active, through the `allow-keyless` setting, and the
    public key requires additional client-side verification for example using FIDO2
    or GPG. This is due to insufficient validation procedures of the public key step
    during SSH request handshake, granting unauthorized access if the
    keyboard-interaction mode is utilized. An attacker could exploit this
    vulnerability by presenting manipulated SSH requests using keyboard-interactive
    authentication mode. This could potentially result in unauthorized access to the
    Soft Serve. Users should upgrade to the latest Soft Serve version `v0.6.2` to
    receive the patch for this issue. To workaround this vulnerability without
    upgrading, users can temporarily disable Keyboard-Interactive SSH Authentication
    using the `allow-keyless` setting.
cves:
    - CVE-2023-43809
references:
    - advisory: https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-mc97-99j4-vm2v
    - report: https://github.com/charmbracelet/soft-serve/issues/389
    - fix: https://github.com/charmbracelet/soft-serve/commit/407c4ec72d1006cee1ff8c1775e5bcc091c2bc89
    - web: https://github.com/charmbracelet/soft-serve/releases/tag/v0.6.2

@jba jba self-assigned this Oct 5, 2023
@jba jba added the duplicate label Oct 5, 2023
@jba
Copy link
Contributor

jba commented Oct 5, 2023

Duplicate of #2097

@jba jba marked this as a duplicate of #2097 Oct 5, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants