Jjgadgets

**Name of the Vulnerable Software and Affected Versions** Soft Serve versions prior to 0.6.2 **Description** A security issue in Soft Serve allows an unauthenticated, remote attacker to bypass public key authentication when keyboard-interactive SSH authentication is active, through the `allow-keyless` setting, and the public key requires additional client-side verification, for example, using FIDO2 or GPG. This is due to insufficient validation procedures of the public key step during SSH request handshake, granting unauthorized access if the keyboard-interaction mode is utilized. An attacker could exploit this by presenting manipulated SSH requests using keyboard-interactive authentication mode, potentially resulting in unauthorized access to Soft Serve. **Recommendations** To resolve the issue, upgrade to Soft Serve version 0.6.2. As a temporary workaround, consider disabling Keyboard-Interactive SSH Authentication using the `allow-keyless` setting.