CVE-2023-43809

Name of the Vulnerable Software and Affected Versions Soft Serve versions prior to 0.6.2

Description A security issue in Soft Serve allows an unauthenticated, remote attacker to bypass public key authentication when keyboard-interactive SSH authentication is active, through the allow-keyless setting, and the public key requires additional client-side verification, for example, using FIDO2 or GPG. This is due to insufficient validation procedures of the public key step during SSH request handshake, granting unauthorized access if the keyboard-interaction mode is utilized. An attacker could exploit this by presenting manipulated SSH requests using keyboard-interactive authentication mode, potentially resulting in unauthorized access to Soft Serve.

Recommendations To resolve the issue, upgrade to Soft Serve version 0.6.2. As a temporary workaround, consider disabling Keyboard-Interactive SSH Authentication using the allow-keyless setting.