CVE-2023-45140

Name of the Vulnerable Software and Affected Versions The Bastion versions prior to 3.14.15

Description The Bastion provides authentication, authorization, traceability, and auditability for SSH accesses. However, SCP and SFTP plugins do not honor group-based Just-In-Time (JIT) Multi-Factor Authentication (MFA). This means that establishing a SCP/SFTP connection through The Bastion via a group access where MFA is enforced does not ask for an additional factor. This issue only applies to per-group-based JIT MFA, and other MFA setup types, such as Immediate MFA, JIT MFA on a per-plugin basis, and JIT MFA on a per-account basis, are not affected.

Recommendations For versions prior to 3.14.15, update to version 3.14.15 to resolve the issue. As a temporary workaround, consider disabling the group-based JIT MFA feature until the patch is applied. Restrict access to the SCP and SFTP plugins to minimize the risk of exploitation. Avoid using group-based access for SCP/SFTP connections until the issue is resolved.