We have released SFTPPlus version 4.6.0, which fixes a security issue related to the SFTP/SCP server-side users authentication over a custom HTTP method.

SFTPPlus was not checking if the remote peer has a copy of the private key when using the HTTP authentication method together with SSH key authentication.

This security issue only affects SSH key authentication when using the external HTTP authentication method.

This does not affect the SSH key authentication when using the embedded SFTPPlus credentials validation.

The upgrade is recommended for all customers using SFTPPlus as an SFTP/SCP server together with the HTTP authentication method.

You can check the full release notes here.