CVE-2022-36071

Name of the Vulnerable Software and Affected Versions SFTPGo versions 2.2.0 through 2.3.3

Description SFTPGo is a configurable SFTP server with optional HTTP/S, FTP/S, and WebDAV support. It supports login using TOTP (Time-based One Time Passwords) as a secondary authentication factor and also supports recovery codes, which are a set of one-time use codes that can be used instead of the TOTP. An attacker who knows the user's password could potentially generate some recovery codes and then bypass two-factor authentication after it is enabled on the account at a later time. This issue has been fixed in version 2.3.4, where recovery codes can now only be generated after enabling two-factor authentication and are deleted after disabling it.

Recommendations For SFTPGo versions 2.2.0 through 2.3.3, update to version 2.3.4 to resolve the issue. As a temporary workaround, consider regenerating recovery codes after enabling two-factor authentication.