GoogleOSV:GHSA-9WWG-R3C7-4VFGPimcore Admin UI has Two Factor Authentication disabled for non admin security firewalls
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
AI Score
Confidence
Low
EPSS
Percentile
28.5%
Impact
AdminBundle\Security\PimcoreUserTwoFactorCondition introduced in v11 disable the two factor authentication for all non-admin security firewalls.
An authenticated user can access the system without having to provide the 2 factor credentials.
Patches
Apply patch https://patch-diff.githubusercontent.com/raw/pimcore/admin-ui-classic-bundle/pull/345.patch
Workarounds
Upgrade to version 1.2.2 or apply the patch manually.
References
github.com/pimcore/admin-ui-classic-bundle
github.com/pimcore/admin-ui-classic-bundle/commit/e412b0597830ae564a604e2579eb40e76f7f0628
github.com/pimcore/admin-ui-classic-bundle/pull/345
github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-9wwg-r3c7-4vfg
nvd.nist.gov/vuln/detail/CVE-2023-49075
patch-diff.githubusercontent.com/raw/pimcore/admin-ui-classic-bundle/pull/345.patch
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
AI Score
Confidence
Low
EPSS
Percentile
28.5%