Drakkan

**Name of the Vulnerable Software and Affected Versions** The product name cannot be determined (affected versions not specified) **Description** Constraint extensions, such as `restrict-destination-v00@openssh.com`, were not serialized in requests when adding a key to a remote agent. This caused destination restrictions to be silently stripped during key forwarding, which allowed the key to be used without restrictions on the remote host. Furthermore, the in-memory keyring returned by the `NewKeyring()` function silently ignored keys with unsupported constraint extensions. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** The product name cannot be determined (affected versions not specified) **Description** The in-memory keyring returned by the `NewKeyring()` function silently accepted keys with the `ConfirmBeforeUse` constraint but failed to enforce it. This allowed keys to sign without the required confirmation prompt, providing no indication to the caller that the constraint was inactive. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SFTPGo versions prior to 2.3.5 **Description** SFTPGo is an SFTP server written in Go. The SFTPGo WebClient is subject to Cross-site scripting (XSS) vulnerabilities, allowing remote attackers to inject malicious code. This issue is patched in version 2.3.5. No known workarounds exist. **Recommendations** For versions prior to 2.3.5, update to version 2.3.5 to resolve the issue. As a temporary workaround, consider restricting access to the SFTPGo WebClient until the update is applied.

**Name of the Vulnerable Software and Affected Versions** SFTPGo versions 2.2.0 through 2.3.3 **Description** SFTPGo is a configurable SFTP server with optional HTTP/S, FTP/S, and WebDAV support. It supports login using TOTP (Time-based One Time Passwords) as a secondary authentication factor and also supports recovery codes, which are a set of one-time use codes that can be used instead of the TOTP. An attacker who knows the user's password could potentially generate some recovery codes and then bypass two-factor authentication after it is enabled on the account at a later time. This issue has been fixed in version 2.3.4, where recovery codes can now only be generated after enabling two-factor authentication and are deleted after disabling it. **Recommendations** For SFTPGo versions 2.2.0 through 2.3.3, update to version 2.3.4 to resolve the issue. As a temporary workaround, consider regenerating recovery codes after enabling two-factor authentication.