Group-based JIT MFA bypass on scp and sftp in The Bastion
CVE-2023-45140

4.8MEDIUM

Key Information:

Vendor: Ovh
Status: The-bastion
Vendor: CVE Published:; 8 November 2023

What is CVE-2023-45140?

The Bastion provides authentication, authorization, traceability and auditability for SSH accesses. SCP and SFTP plugins don't honor group-based JIT MFA. Establishing a SCP/SFTP connection through The Bastion via a group access where MFA is enforced does not ask for additional factor. This abnormal behavior only applies to per-group-based JIT MFA. Other MFA setup types, such as Immediate MFA, JIT MFA on a per-plugin basis and JIT MFA on a per-account basis are not affected. This issue has been patched in version 3.14.15.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

the-bastion >= 3.0.0, <= 3.14.0

References

https://github.com/ovh/the-bastion/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/ovh/the-bastion/releases/tag/v3.14.15

x_refsource_MISC

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Nov 8, 2023
Vulnerability Reserved
Oct 4, 2023

JSON

Ovh