GoogleOSV:GHSA-VW39-2WJ9-4Q86django-mfa2 vulnerable to MFA Replay attack
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS
Percentile
34.6%
mfa/FIDO2.py in django-mfa2 before 2.5.1 and 2.6.x before 2.6.1 allows a replay attack that could be used to register another device for a user. The device registration challenge is not invalidated after usage.
References
github.com/mkalioby/django-mfa2
github.com/mkalioby/django-mfa2/blob/0936ea253354dd95cb127f09d0efa31324caef27/mfa/FIDO2.py#L58
github.com/mkalioby/django-mfa2/commit/54db5a513bcafa97a36e9f6dfa31d3c61fa8217b
github.com/mkalioby/django-mfa2/commit/5fbb505e98ecdd409330a5c336ad5ec49631b0db
github.com/mkalioby/django-mfa2/releases/tag/v2.5.1-release
github.com/mkalioby/django-mfa2/releases/tag/v2.6.1-release
github.com/pypa/advisory-database/tree/main/vulns/django-mfa2/PYSEC-2022-303.yaml
nvd.nist.gov/vuln/detail/CVE-2022-42731
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS
Percentile
34.6%