Soft Serve Public Key Authentication Bypass Vulnerability when Keyboard-Interactive SSH Authentication is Enabled
CVE-2023-43809

7.5HIGH

Key Information:

Vendor

Charmbracelet

Status
Soft-serve
Vendor
CVE Published:
4 October 2023

What is CVE-2023-43809?

A security flaw in Soft Serve, a self-hostable Git server, enables unauthenticated remote attackers to bypass public key authentication when keyboard-interactive SSH is enabled. This vulnerability arises from inadequate validation during the SSH request handshake, particularly when the 'allow-keyless' setting is active and additional client-side verification, like FIDO2 or GPG, is required. Attackers can exploit this by sending manipulated SSH requests that circumvent normal access controls. Users are strongly urged to upgrade to Soft Serve version 0.6.2 for a fix, or to disable Keyboard-Interactive SSH Authentication temporarily.

Affected Version(s)

soft-serve < 0.6.2

References

https://github.com/charmbracelet/soft-serve/security/advi...
x_refsource_CONFIRM
https://github.com/charmbracelet/soft-serve/issues/389
x_refsource_MISC
https://github.com/charmbracelet/soft-serve/commit/407c4e...
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.