GHSA-FG52-XJFC-9RH8
Vulnerability from github – Published: 2022-05-24 16:51 – Updated: 2022-12-16 14:34Pterodactyl version 0.7.13 and lower - 2FA Sniffing
Users who have enabled 2FA protections on their account can unintentionally have their account's existence sniffed by malicious users who enter random credentials into the login fields.
Impact
Users who have enabled 2FA protections on their account can unintentionally have their account's existence sniffed by malicious users who enter random credentials into the login fields.
A logical mistake was made when the original code was written that would wait to verify the user's password until they had provided 2FA credentials if it was enabled on their account. However, because of this you could enter a bad password for a known email and determine if the account exists if you got redirected to a 2FA page.
For more information
If you have any questions or comments about this advisory please react out on Discord or email dane@[project name].io.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.7.13"
},
"package": {
"ecosystem": "Packagist",
"name": "pterodactyl/panel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.7.14"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-1020002"
],
"database_specific": {
"cwe_ids": [
"CWE-203"
],
"github_reviewed": true,
"github_reviewed_at": "2022-12-16T14:34:49Z",
"nvd_published_at": "2019-07-29T15:15:00Z",
"severity": "HIGH"
},
"details": "**Pterodactyl version 0.7.13 and lower - 2FA Sniffing**\n\nUsers who have enabled 2FA protections on their account can unintentionally have their account\u0027s existence sniffed by malicious users who enter random credentials into the login fields.\n\n### Impact\nUsers who have enabled 2FA protections on their account can unintentionally have their account\u0027s existence sniffed by malicious users who enter random credentials into the login fields.\n\nA logical mistake was made when the original code was written that would wait to verify the user\u0027s password until they had provided 2FA credentials if it was enabled on their account. However, because of this you could enter a bad password for a known email and determine if the account exists if you got redirected to a 2FA page.\n\n### For more information\nIf you have any questions or comments about this advisory please react out on Discord or email dane@[project name].io.",
"id": "GHSA-fg52-xjfc-9rh8",
"modified": "2022-12-16T14:34:49Z",
"published": "2022-05-24T16:51:37Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/pterodactyl/panel/security/advisories/GHSA-vcm9-hx3q-qwj8"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1020002"
},
{
"type": "WEB",
"url": "https://github.com/pterodactyl/panel/commit/092e7e79fff858ee026608c7dbccab165a67526f"
},
{
"type": "PACKAGE",
"url": "https://github.com/pterodactyl/panel"
},
{
"type": "WEB",
"url": "https://github.com/pterodactyl/panel/releases/tag/v0.7.14"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Pterodactyl vulnerable to 2FA Sniffing"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.