GHSA-J5RM-V3VH-VX94 eduMFA Passkeys: missing expiration flag may allow replay attacks and reuse of old challenges

Impact In eduMFA = 2.9.1 by adding validity information to the userless challenges. Workarounds No known workarounds besides disabling userless login altogether...

eduMFA Passkeys: missing expiration flag may allow replay attacks and reuse of old challenges

Impact In eduMFA = 2.9.1 by adding validity information to the userless challenges. Workarounds No known workarounds besides disabling userless login altogether...

eduMFA: Unauthenticated Failcounter Increment on Resolver Tokens via /validate/check

Impact If the resolver parameter is passed, but the user does not exist, all failcounters of tokens in that resolver will be increased. Patches This, along with other issues, was fixed in eduMFA v2.9.1. Workarounds Limiting access to /validate/check to client applications i.e. Shibboleth/FreeRADI...

Insufficient Verification Of Data Authenticity

eduMFA is vulnerable to Insufficient Verification of Data Authenticity. The vulnerability is due to missing checks for Message-Authenticator attributes, which could result in authentication bypass...

GHSA-VHMJ-5Q9R-MM9G BlastRADIUS also affects eduMFA

Summary BlastRADIUS see blastradius.fail for details also affects eduMFA prior version 2.2.0, because the Message-Authenticator attributes were not checked. Details Website with the vulnerability information blastradius.fail The original vulnerability has been assigned CVE-2024-3596 Case in vince...

BlastRADIUS also affects eduMFA

Summary BlastRADIUS see blastradius.fail for details also affects eduMFA prior version 2.2.0, because the Message-Authenticator attributes were not checked. Details Website with the vulnerability information blastradius.fail The original vulnerability has been assigned CVE-2024-3596 Case in vince...