Security Advisory for SFTPPlus 3.55.0

We have released SFTPPlus version 3.55.0, which fixes a critical security issue for the Local Manager's web console GUI introduced with SFTPPlus version 3.24.0.

The security defect was allowing non-authenticated requests for the Activity log, downloaded in CSV format.

Your SFTPPlus setup is not affected if you are not using the default-enabled "Store in database" event handler.

In order to audit for potential security breaches, parse the log files for events with ID 50026, then check them for any unauthorized access. Unfortunately, you can only identify unauthorized access by its timestamp.

No user data or passwords can be compromised in this way. The usernames and filenames found in the logs are exposed to unauthorized parties if accessed in this particular way.

The upgrade is recommended for all customers using the web management console.

You can check the full release notes here.

Security advisories newsletter

The security advisories newsletter is available to our customers as a convenient method for receiving information about security updates and best practices.

You can view the security advisories archive here (articles are made public 3 months after their initial internal release).