MidnightBSD

Advisories for sftpgo_project

CVE-2022-36071

SFTPGo is configurable SFTP server with optional HTTP/S, FTP/S and WebDAV support. SFTPGo WebAdmin and WebClient support login using TOTP (Time-based One Time Passwords) as a secondary authentication factor. Because TOTPs are often configured on mobile devices that can be lost, stolen or damaged, SFTPGo also supports recovery codes. These are a set of one time use codes that can be used instead of the TOTP. In SFTPGo versions from version 2.2.0 to 2.3.3 recovery codes can be generated before enabling two-factor authentication. An attacker who knows the user's password could potentially generate some recovery codes and then bypass two-factor authentication after it is enabled on the account at a later time. This issue has been fixed in version 2.3.4. Recovery codes can now only be generated after enabling two-factor authentication and are deleted after disabling it.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N 2.8 5.2
security-advisories@github.com 8.3 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L 2.8 5.5

Products Affected

Vendor Product Version
sftpgo_project sftpgo *
CVE-2022-39220

SFTPGo is an SFTP server written in Go. Versions prior to 2.3.5 are subject to Cross-site scripting (XSS) vulnerabilities in the SFTPGo WebClient, allowing remote attackers to inject malicious code. This issue is patched in version 2.3.5. No known workarounds exist.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

Products Affected

Vendor Product Version
sftpgo_project sftpgo *
CVE-2023-48795

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N 2.2 3.6

Products Affected

Vendor Product Version
freebsd freebsd *
crates thrussh *
jadaptive maverick_synergy_java_ssh_api *
gentoo security -
lancom-systems lcos *
vandyke securecrt *
lancom-systems lcos_fx -
ssh ssh *
apache sshj *
winscp winscp *
paramiko paramiko *
microsoft powershell *
redhat openshift_container_platform 4.0
redhat openstack_platform 17.1
lancom-systems lcos_lx -
redhat openshift_pipelines -
netgate pfsense_plus *
crushftp crushftp *
panic transmit_5 *
connectbot sshlib *
redhat advanced_cluster_security 4.0
redhat openstack_platform 16.2
redhat openshift_api_for_data_protection -
fedoraproject fedora 38
redhat jboss_enterprise_application_platform 7.0
thorntech sftp_gateway_firmware *
redhat openshift_dev_spaces -
netgate pfsense_ce *
lancom-systems lanconfig -
apple macos *
tinyssh tinyssh *
redhat keycloak -
redhat openshift_virtualization 4
net-ssh net-ssh 7.2.0
redhat openshift_data_foundation 4.0
redhat enterprise_linux 9.0
panic nova *
fedoraproject fedora 39
redhat storage 3.0
redhat discovery -
proftpd proftpd *
redhat openshift_serverless -
erlang erlang/otp *
trilead ssh2 6401
redhat enterprise_linux 8.0
roumenpetrov pkixssh *
lancom-systems lcos_sx 5.20
tera_term_project tera_term *
redhat openstack_platform 16.1
redhat single_sign-on 7.0
dropbear_ssh_project dropbear_ssh *
sftpgo_project sftpgo *
apache sshd *
netsarang xshell_7 *
redhat ceph_storage 6.0
libssh libssh *
asyncssh_project asyncssh *
libssh2 libssh2 *
filezilla-project filezilla_client *
kitty_project kitty *
openbsd openssh *
matez jsch *
golang crypto *
redhat openshift_gitops -
bitvise ssh_client *
oryx-embedded cyclone_ssh *
redhat cert-manager_operator_for_red_hat_openshift -
bitvise ssh_server *
debian debian_linux 10.0
putty putty *
russh_project russh *
redhat advanced_cluster_security 3.0
redhat openshift_developer_tools_and_services -
ssh2_project ssh2 *
lancom-systems lcos_sx 4.20
CVE-2026-30914

SFTPGo is an open source, event-driven file transfer solution. In SFTPGo versions prior to 2.7.1, a path normalization discrepancy between the protocol handlers and the internal Virtual Filesystem routing can lead to an authorization bypass. An authenticated attacker can craft specific file paths to bypass folder-level permissions or escape the boundaries of a configured Virtual Folder. This vulnerability is fixed in 2.7.1.

Products Affected

Vendor Product Version
sftpgo_project sftpgo *
CVE-2026-30915

SFTPGo is an open source, event-driven file transfer solution. SFTPGo versions before v2.7.1 contain an input validation issue in the handling of dynamic group paths, for example, home directories or key prefixes. When a group is configured with a dynamic home directory or key prefix using placeholders like %username%, the value replacing the placeholder is not strictly sanitized against relative path components. Consequently, if a user is created with a specially crafted username the resulting path may resolve to a parent directory instead of the intended sub-directory. This issue is fixed in version v2.7.1

Products Affected

Vendor Product Version
sftpgo_project sftpgo *