Lucene search

Veracode Vulnerability DatabaseVERACODE:44469

HistoryNov 29, 2023 - 9:13 a.m.

Authentication Bypass

2023-11-2909:13:13

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

pimcore

authentication bypass

vulnerability

two-factor authentication

non-admin security

CVSS3

8.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

AI Score

7.4

Confidence

Low

EPSS

0.001

Percentile

28.5%

JSON

Pimcore/admin-ui-classic-bundle is vulnerable to an Authentication Bypass. The vulnerability exists in the shouldPerformTwoFactorAuthentication function in PimcoreUserTwoFactorCondition.php because it does not properly check whether the two-factor authentication which allows an attacker to bypass two-factor authentication for all non-admin security firewalls.

References

github.com/pimcore/admin-ui-classic-bundle/commit/e412b0597830ae564a604e2579eb40e76f7f0628

github.com/pimcore/admin-ui-classic-bundle/pull/345

github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-9wwg-r3c7-4vfg

patch-diff.githubusercontent.com/raw/pimcore/admin-ui-classic-bundle/pull/345.patch

CVSS3

8.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

AI Score

7.4

Confidence

Low

EPSS

0.001

Percentile

28.5%

JSON

Related for VERACODE:44469