Thibaultdewailly

**Name of the Vulnerable Software and Affected Versions** The Bastion versions prior to 3.14.15 **Description** The Bastion provides authentication, authorization, traceability, and auditability for SSH accesses. However, SCP and SFTP plugins do not honor group-based Just-In-Time (JIT) Multi-Factor Authentication (MFA). This means that establishing a SCP/SFTP connection through The Bastion via a group access where MFA is enforced does not ask for an additional factor. This issue only applies to per-group-based JIT MFA, and other MFA setup types, such as Immediate MFA, JIT MFA on a per-plugin basis, and JIT MFA on a per-account basis, are not affected. **Recommendations** For versions prior to 3.14.15, update to version 3.14.15 to resolve the issue. As a temporary workaround, consider disabling the group-based JIT MFA feature until the patch is applied. Restrict access to the SCP and SFTP plugins to minimize the risk of exploitation. Avoid using group-based access for SCP/SFTP connections until the issue is resolved.