{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-20T21:22:20.332","vulnerabilities":[{"cve":{"id":"CVE-2023-43809","sourceIdentifier":"security-advisories@github.com","published":"2023-10-04T21:15:10.280","lastModified":"2024-11-21T08:24:49.470","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"Soft Serve is a self-hostable Git server for the command line. Prior to version 0.6.2, a security vulnerability in Soft Serve could allow an unauthenticated, remote attacker to bypass public key authentication when keyboard-interactive SSH authentication is active, through the `allow-keyless` setting, and the public key requires additional client-side verification for example using FIDO2 or GPG. This is due to insufficient validation procedures of the public key step during SSH request handshake, granting unauthorized access if the keyboard-interaction mode is utilized. An attacker could exploit this vulnerability by presenting manipulated SSH requests using keyboard-interactive authentication mode. This could potentially result in unauthorized access to the Soft Serve. Users should upgrade to the latest Soft Serve version `v0.6.2` to receive the patch for this issue. To workaround this vulnerability without upgrading, users can temporarily disable Keyboard-Interactive SSH Authentication using the `allow-keyless` setting."},{"lang":"es","value":"Soft Serve es un servidor Git autohospedable para la línea de comandos. Antes de la versión 0.6.2, una vulnerabilidad de seguridad en Soft Serve podría permitir a un atacante remoto no autenticado eludir la autenticación de clave pública cuando la autenticación SSH interactiva con teclado está activa, a través de la configuración \"allow-keyless\", y la clave pública requiere verificación adicional del lado del cliente, por ejemplo, utilizando FIDO2 o GPG. Esto se debe a procedimientos de validación insuficientes del paso de la clave pública durante el protocolo de enlace de solicitud SSH, lo que otorga acceso no autorizado si se utiliza el modo de interacción con el teclado. Un atacante podría aprovechar esta vulnerabilidad presentando solicitudes SSH manipuladas utilizando el modo de autenticación interactivo con teclado. Potencialmente, esto podría resultar en un acceso no autorizado al Soft Serve. Los usuarios deben actualizar a la última versión de Soft Serve `v0.6.2` para recibir el parche para este problema. Como workaround esta vulnerabilidad sin realizar una actualización, los usuarios pueden desactivar temporalmente la autenticación SSH interactiva con teclado utilizando la configuración \"allow-keyless\"."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":3.6},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":3.6}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-287"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:charm:soft_serve:*:*:*:*:*:go:*:*","versionEndExcluding":"0.6.2","matchCriteriaId":"962411DB-9A36-4D48-B5E5-BAC38703E87D"}]}]}],"references":[{"url":"https://github.com/charmbracelet/soft-serve/commit/407c4ec72d1006cee1ff8c1775e5bcc091c2bc89","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/charmbracelet/soft-serve/issues/389","source":"security-advisories@github.com","tags":["Exploit","Issue Tracking"]},{"url":"https://github.com/charmbracelet/soft-serve/releases/tag/v0.6.2","source":"security-advisories@github.com","tags":["Release Notes"]},{"url":"https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-mc97-99j4-vm2v","source":"security-advisories@github.com","tags":["Vendor Advisory"]},{"url":"https://github.com/charmbracelet/soft-serve/commit/407c4ec72d1006cee1ff8c1775e5bcc091c2bc89","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://github.com/charmbracelet/soft-serve/issues/389","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Exploit","Issue Tracking"]},{"url":"https://github.com/charmbracelet/soft-serve/releases/tag/v0.6.2","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Release Notes"]},{"url":"https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-mc97-99j4-vm2v","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Vendor Advisory"]}]}}]}