You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Description:
Soft Serve is a self-hostable Git server for the command line. Prior to version 0.6.2, a security vulnerability in Soft Serve could allow an unauthenticated, remote attacker to bypass public key authentication when keyboard-interactive SSH authentication is active, through the allow-keyless setting, and the public key requires additional client-side verification for example using FIDO2 or GPG. This is due to insufficient validation procedures of the public key step during SSH request handshake, granting unauthorized access if the keyboard-interaction mode is utilized. An attacker could exploit this vulnerability by presenting manipulated SSH requests using keyboard-interactive authentication mode. This could potentially result in unauthorized access to the Soft Serve. Users should upgrade to the latest Soft Serve version v0.6.2 to receive the patch for this issue. To workaround this vulnerability without upgrading, users can temporarily disable Keyboard-Interactive SSH Authentication using the allow-keyless setting.
Cross references:
No existing reports found with this module or alias.
See doc/triage.md for instructions on how to triage this report.
modules:
- module: github.com/charmbracelet/soft-serve
vulnerable_at: 0.6.2
packages:
- package: soft-serve
description: |-
Soft Serve is a self-hostable Git server for the command line. Prior to version
0.6.2, a security vulnerability in Soft Serve could allow an unauthenticated,
remote attacker to bypass public key authentication when keyboard-interactive
SSH authentication is active, through the `allow-keyless` setting, and the
public key requires additional client-side verification for example using FIDO2
or GPG. This is due to insufficient validation procedures of the public key step
during SSH request handshake, granting unauthorized access if the
keyboard-interaction mode is utilized. An attacker could exploit this
vulnerability by presenting manipulated SSH requests using keyboard-interactive
authentication mode. This could potentially result in unauthorized access to the
Soft Serve. Users should upgrade to the latest Soft Serve version `v0.6.2` to
receive the patch for this issue. To workaround this vulnerability without
upgrading, users can temporarily disable Keyboard-Interactive SSH Authentication
using the `allow-keyless` setting.
cves:
- CVE-2023-43809
references:
- advisory: https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-mc97-99j4-vm2v
- report: https://github.com/charmbracelet/soft-serve/issues/389
- fix: https://github.com/charmbracelet/soft-serve/commit/407c4ec72d1006cee1ff8c1775e5bcc091c2bc89
- web: https://github.com/charmbracelet/soft-serve/releases/tag/v0.6.2
The text was updated successfully, but these errors were encountered:
CVE-2023-43809 references github.com/charmbracelet/soft-serve, which may be a Go module.
Description:
Soft Serve is a self-hostable Git server for the command line. Prior to version 0.6.2, a security vulnerability in Soft Serve could allow an unauthenticated, remote attacker to bypass public key authentication when keyboard-interactive SSH authentication is active, through the
allow-keyless
setting, and the public key requires additional client-side verification for example using FIDO2 or GPG. This is due to insufficient validation procedures of the public key step during SSH request handshake, granting unauthorized access if the keyboard-interaction mode is utilized. An attacker could exploit this vulnerability by presenting manipulated SSH requests using keyboard-interactive authentication mode. This could potentially result in unauthorized access to the Soft Serve. Users should upgrade to the latest Soft Serve versionv0.6.2
to receive the patch for this issue. To workaround this vulnerability without upgrading, users can temporarily disable Keyboard-Interactive SSH Authentication using theallow-keyless
setting.References:
allow-keyless
is true charmbracelet/soft-serve#389Cross references:
No existing reports found with this module or alias.
See doc/triage.md for instructions on how to triage this report.
The text was updated successfully, but these errors were encountered: