Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/drakkan/sftpgo: CVE-2022-36071 #964

Closed
GoVulnBot opened this issue Sep 2, 2022 · 4 comments
Closed

x/vulndb: potential Go vuln in github.com/drakkan/sftpgo: CVE-2022-36071 #964

GoVulnBot opened this issue Sep 2, 2022 · 4 comments
Assignees
@tatianab
Labels
excluded: NOT_IMPORTABLE This vulnerability only exists in a binary and is not importable.

Comments

@GoVulnBot
Copy link

CVE-2022-36071 references github.com/drakkan/sftpgo, which may be a Go module.

Description:
SFTPGo is configurable SFTP server with optional HTTP/S, FTP/S and WebDAV support. SFTPGo WebAdmin and WebClient support login using TOTP (Time-based One Time Passwords) as a secondary authentication factor. Because TOTPs are often configured on mobile devices that can be lost, stolen or damaged, SFTPGo also supports recovery codes. These are a set of one time use codes that can be used instead of the TOTP.

In SFTPGo versions from version 2.2.0 to 2.3.3 recovery codes can be generated before enabling two-factor authentication.
An attacker who knows the user's password could potentially generate some recovery codes and then bypass two-factor authentication after it is enabled on the account at a later time. This issue has been fixed in version 2.3.4. Recovery codes can now only be generated after enabling two-factor authentication and are deleted after disabling it.

References:

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: github.com/drakkan/sftpgo
    packages:
      - package: sftpgo
description: |
    SFTPGo is configurable SFTP server with optional HTTP/S, FTP/S and WebDAV support. SFTPGo WebAdmin and WebClient support login using TOTP (Time-based One Time Passwords) as a secondary authentication factor. Because TOTPs are often configured on mobile devices that can be lost, stolen or damaged, SFTPGo also supports recovery codes. These are a set of one time use codes that can be used instead of the TOTP.

    In SFTPGo versions from version 2.2.0 to 2.3.3 recovery codes can be generated before enabling two-factor authentication.
    An attacker who knows the user's password could potentially generate some recovery codes and then bypass two-factor authentication after it is enabled on the account at a later time. This issue has been fixed in version 2.3.4. Recovery codes can now only be generated after enabling two-factor authentication and are deleted after disabling it.
cves:
  - CVE-2022-36071
references:
  - web: https://github.com/drakkan/sftpgo/security/advisories/GHSA-54qx-8p8w-xhg8
  - web: https://github.com/drakkan/sftpgo/issues/965
@tatianab tatianab self-assigned this Sep 2, 2022
@tatianab tatianab added the excluded: NOT_IMPORTABLE This vulnerability only exists in a binary and is not importable. label Sep 2, 2022
@tatianab
Copy link
Contributor

tatianab commented Sep 2, 2022

Vulnerability in internal package

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/427980 mentions this issue: data/excluded: add GO-2022-0964.yaml for CVE-2022-36071

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/592774 mentions this issue: data/reports: unexclude 50 reports

@GoVulnBot GoVulnBot mentioned this issue Jun 20, 2024
Closed
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/607229 mentions this issue: data/reports: unexclude 20 reports (27)

gopherbot pushed a commit that referenced this issue Aug 21, 2024
@tatianab @gopherbot
data/reports: unexclude 20 reports (27)
bcdceff 
  - data/reports/GO-2022-0922.yaml
  - data/reports/GO-2022-0923.yaml
  - data/reports/GO-2022-0924.yaml
  - data/reports/GO-2022-0925.yaml
  - data/reports/GO-2022-0928.yaml
  - data/reports/GO-2022-0929.yaml
  - data/reports/GO-2022-0933.yaml
  - data/reports/GO-2022-0936.yaml
  - data/reports/GO-2022-0937.yaml
  - data/reports/GO-2022-0938.yaml
  - data/reports/GO-2022-0939.yaml
  - data/reports/GO-2022-0953.yaml
  - data/reports/GO-2022-0959.yaml
  - data/reports/GO-2022-0960.yaml
  - data/reports/GO-2022-0964.yaml
  - data/reports/GO-2022-0970.yaml
  - data/reports/GO-2022-0971.yaml
  - data/reports/GO-2022-0981.yaml
  - data/reports/GO-2022-0982.yaml
  - data/reports/GO-2022-0983.yaml

Updates #922
Updates #923
Updates #924
Updates #925
Updates #928
Updates #929
Updates #933
Updates #936
Updates #937
Updates #938
Updates #939
Updates #953
Updates #959
Updates #960
Updates #964
Updates #970
Updates #971
Updates #981
Updates #982
Updates #983

Change-Id: I2c7e7a823ba3bf18dab1234a40c08ac4825903f6
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/607229
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
Commit-Queue: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
@GoVulnBot GoVulnBot mentioned this issue Nov 21, 2024
Closed
@GoVulnBot GoVulnBot mentioned this issue Nov 29, 2024
Closed
@GoVulnBot GoVulnBot mentioned this issue Feb 7, 2025
Closed
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@tatianab tatianab

Labels
excluded: NOT_IMPORTABLE This vulnerability only exists in a binary and is not importable.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tatianab @gopherbot @GoVulnBot