4.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:S/C:N/I:P/A:N
0.001 Low
EPSS
Percentile
21.5%
Announcement-ID: PMASA-2022-1
Date: 2022-01-10
Two factor authentication bypass
There is a sequence of actions a valid user can take that will allow them to bypass two factor authentication for that account. A user must first connect to phpMyAdmin (presumably using their two factor authentication method) in order to prepare their account for the bypass.
Note that a user is still able to disable two factor authentication through conventional means; this only addresses an unintentional security weakness in how phpMyAdmin processes a user’s two factor status.
We do not consider this vulnerability to be severe due to the steps required to prepare for the attack and access required. Further, as noted above, a user is permitted to disable two factor authentication through conventional means.
phpMyAdmin versions of the 4.9 branch prior to 4.9.8 and 5.1 prior to 5.1.2 are affected.
Upgrade to phpMyAdmin 4.9.8, 5.1.2, or newer or apply patch listed below.
phpMyAdmin team member William Desportes discovered this weakness
Assigned CVE ids: CVE-2022-23807
CWE ids: CWE-661
The following commits have been made to fix this issue:
For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.
CPE | Name | Operator | Version |
---|---|---|---|
phpmyadmin | le | 4.9.8 | |
phpmyadmin | le | 5.1.2 |
4.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:S/C:N/I:P/A:N
0.001 Low
EPSS
Percentile
21.5%