Lucene search

GitHub_MCVELIST:CVE-2023-49075

HistoryNov 28, 2023 - 4:33 a.m.

CVE-2023-49075 Pimcore Admin UI has Two Factor Authentication disabled for non admin security firewalls

2023-11-2804:33:23

CWE-308

GitHub_M

www.cve.org

pimcore

admin ui

two factor authentication

CVSS3

8.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

AI Score

8.6

Confidence

High

EPSS

0.001

Percentile

28.5%

JSON

The Admin Classic Bundle provides a Backend UI for Pimcore. AdminBundle\Security\PimcoreUserTwoFactorCondition introduced in v11 disable the two factor authentication for all non-admin security firewalls. An authenticated user can access the system without having to provide the two factor credentials. This issue has been patched in version 1.2.2.

CNA Affected

[
  {
    "vendor": "pimcore",
    "product": "admin-ui-classic-bundle",
    "versions": [
      {
        "version": "< 1.2.2",
        "status": "affected"
      }
    ]
  }
]

References

github.com/pimcore/admin-ui-classic-bundle/commit/e412b0597830ae564a604e2579eb40e76f7f0628

github.com/pimcore/admin-ui-classic-bundle/pull/345

github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-9wwg-r3c7-4vfg

patch-diff.githubusercontent.com/raw/pimcore/admin-ui-classic-bundle/pull/345.patch

CVSS3

8.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

AI Score

8.6

Confidence

High

EPSS

0.001

Percentile

28.5%

JSON

Related for CVELIST:CVE-2023-49075