BIT-JOOMLA-2021-23127 [20210301] - Core - Insecure randomness within 2FA secret generation

An issue was discovered in Joomla! 3.2.0 through 3.9.24. Usage of an insufficient length for the 2FA secret accoring to RFC 4226 of 10 bytes vs 20 bytes...

Insufficient Entropy

devise-two-factor is vulnerable to Insufficient Entropy. The vulnerability is due to the generation of TOTP shared secrets that are only 120 bits, shorter than the 128-bit minimum defined by RFC 4226, allowing an attacker to more easily guess the shared secret and generate valid TOTP codes...

CVE-2024-8796

Under the default configuration, Devise-Two-Factor versions = 2.2.0 & 6.0.0 generate TOTP shared secrets that are 120 bits instead of the 128-bit minimum defined by RFC 4226. Using a shared secret shorter than the minimum to generate a multi-factor authentication code could make it easier for an...

CVE-2024-8796 Insufficient Default OTP Shared Secret Length

Under the default configuration, Devise-Two-Factor versions = 2.2.0 & 6.0.0 generate TOTP shared secrets that are 120 bits instead of the 128-bit minimum defined by RFC 4226. Using a shared secret shorter than the minimum to generate a multi-factor authentication code could make it easier for an...

CVE-2024-8796

CVE-2024-8796 affects the Devise-Two-Factor library. Under default configuration, versions >= 2.2.0 and

CVE-2024-8796 Insufficient Default OTP Shared Secret Length

Under the default configuration, Devise-Two-Factor versions = 2.2.0 & 6.0.0 generate TOTP shared secrets that are 120 bits instead of the 128-bit minimum defined by RFC 4226. Using a shared secret shorter than the minimum to generate a multi-factor authentication code could make it easier for an...

CVE-2024-8796

Under the default configuration, Devise-Two-Factor versions = 2.2.0 & 6.0.0 generate TOTP shared secrets that are 120 bits instead of the 128-bit minimum defined by RFC 4226. Using a shared secret shorter than the minimum to generate a multi-factor authentication code could make it easier for an...

Devise-Two-Factor Authentication Uses Insufficient Default OTP Shared Secret Length

Summary Under the default configuration, Devise-Two-Factor version = 2.2.0 & 6.0.0 generate TOTP shared secrets that are 120 bits instead of the 128-bit minimum defined by RFC 4226. Using a shared secret shorter than the minimum to generate a multi-factor authentication code could make it easier...

Joomla 1.6.x < 3.9.25 Multiple Vulnerabilities (5834-joomla-3-9-25)

According to its self-reported version, the instance of Joomla! running on the remote web server is 1.6.x prior to 3.9.25. It is, therefore, affected by multiple vulnerabilities. - An issue was discovered in Joomla! 3.2.0 through 3.9.24. Usage of the insecure rand function within the process of...

CVE-2021-23127

An issue was discovered in Joomla! 3.2.0 through 3.9.24. Usage of an insufficient length for the 2FA secret accoring to RFC 4226 of 10 bytes vs 20 bytes...

[20210301] - Core - Insecure randomness within 2FA secret generation

Usage of the insecure rand function within the process of generating the 2FA secret.Usage of an insufficient length for the 2FA secret accoring to RFC 4226 of 10 bytes vs 20 bytes...

Phabricator: TOTP Key is shorter than RFC 4226 recommended minimum

mongoose Observed Behavior: When creating a TOTP secret a 16 character base32 encoded string is presented to the user. Expected Behavior: I would expect a 32 character base32 secret to be presented. The RFC recommends 160 bits of entropy, which is 32 character x 5 bits per character in a base32...

Allow user accounts to require two-factor authentication using RFC 4226

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion|http://jira.atlassian.com/browse/JRASERVER-20999. panel New feature request. In light of the recent security hack at Apache, it might be prudent for JIRA to provide some more secure...

Allow user accounts to require two-factor authentication using RFC 4226

panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/JRACLOUD-20999. panel New feature request. In light of the recent security hack at Apache, it might be prudent for JIRA to provide some more secure...

Allow user accounts to require two-factor authentication using RFC 4226

New feature request. In light of the recent security hack at Apache, it might be prudent for JIRA to provide some more secure options for user authentication. One candidate is two-factor authentication using the RFC 4226 OATH/HOTP|http://en.wikipedia.org/wiki/HOTP standard. This requires the user...