Security Advisory for SFTPPlus 4.6.0

We have released SFTPPlus version 4.6.0, which fixes a security issue related to the SFTP/SCP server-side users authentication over a custom HTTP method.

SFTPPlus was not checking if the remote peer has a copy of the private key when using the HTTP authentication method together with SSH key authentication.

This security issue only affects SSH key authentication when using the external HTTP authentication method.

This does not affect the SSH key authentication when using the embedded SFTPPlus credentials validation.

The upgrade is recommended for all customers using SFTPPlus as an SFTP/SCP server together with the HTTP authentication method.

You can check the full release notes here.

Security advisories newsletter

The security advisories newsletter is available to our customers as a convenient method for receiving information about security updates and best practices.

You can view the security advisories archive here (articles are made public 3 months after their initial internal release).