github - ghsa-wmx7-pw49-88jx

ghsa-wmx7-pw49-88jx

Vulnerability from github

Published

2024-07-25 17:58

Modified

2024-07-26 21:40

Severity

4.8 (Medium) - CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N
6.0 (Medium) - CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Summary

Craft CMS Allows TOTP Token To Stay Valid After Use

Details

Craft CMS 5 allows reuse of TOTP tokens multiple times within the validity period.

Impact

An attacker is able to re-submit a valid TOTP token to establish an authenticated session. This requires that the attacker has knowledge of the victim's credentials.

A TOTP token can be used multiple times to establish an authenticated session. RFC 6238 insists that an OTP must not be used more than once.

The verifier MUST NOT accept the second attempt of the OTP after the successful validation has been issued for the first OTP, which ensures one-time only use of an OTP.

The OWASP Application Security Verification Standard v4.0.3 (ASVS) reiterates this property with requirement 2.8.4.

Verify that time-based OTP can be used only once within the validity period.

It should also be noted that the validity period of an TOTP token is 2 minutes. This makes a successful brute force attack more likely, since the four tokens are valid at the same time.

Patches

This has been patched in Craft 5.2.3.

References:

https://github.com/sbaresearch/advisories/tree/public/2024/SBA-ADV 2024061701_CraftCMS_TOTP_Valid_After_Use

https://github.com/craftcms/cms/releases/tag/5.2.3

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.2.2"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "craftcms/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0-beta.1"
            },
            {
              "fixed": "5.2.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-41800"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-07-25T17:58:01Z",
    "nvd_published_at": "2024-07-25T17:15:11Z",
    "severity": "MODERATE"
  },
  "details": "Craft CMS 5 allows reuse of TOTP tokens multiple times within the validity period.\n\n### Impact\n\nAn attacker is able to re-submit a valid TOTP token to establish an authenticated session. This requires that the attacker has knowledge of the victim\u0027s credentials.\n\nA TOTP token can be used multiple times to establish an authenticated session.\n[RFC 6238](https://www.rfc-editor.org/rfc/rfc6238) insists that an OTP must not be used more than once.\n\n\u003e The verifier MUST NOT accept the second attempt of the OTP after the successful validation has been issued for the first OTP, which ensures one-time only use of an OTP.\n\nThe OWASP Application Security Verification Standard v4.0.3 (ASVS) [reiterates\nthis property with requirement 2.8.4](https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md#v28-one-time-verifier).\n\n\u003e Verify that time-based OTP can be used only once within the validity period.\n\nIt should also be noted that the validity period of an TOTP token is 2 minutes. This makes a successful brute force attack more likely, since the four tokens are valid at the same time.\n\n### Patches\n\nThis has been patched in Craft 5.2.3.\n\nReferences:\n\nhttps://github.com/sbaresearch/advisories/tree/public/2024/SBA-ADV 2024061701_CraftCMS_TOTP_Valid_After_Use\n\nhttps://github.com/craftcms/cms/releases/tag/5.2.3",
  "id": "GHSA-wmx7-pw49-88jx",
  "modified": "2024-07-26T21:40:26Z",
  "published": "2024-07-25T17:58:01Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/security/advisories/GHSA-wmx7-pw49-88jx"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41800"
    },
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/commit/7c790fa5ad5a8cb8016cb6793ec3554c4c079e38"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/craftcms/cms"
    },
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/releases/tag/5.2.3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sbaresearch/advisories/tree/public/2024/SBA-ADV-20240617-01_CraftCMS_TOTP_Valid_After_Use"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Craft CMS Allows TOTP Token To Stay Valid After Use"
}

cve-2024-41800

Vulnerability from cvelistv5

Published

2024-07-25 16:12

Modified

2024-08-02 04:46

Severity

4.8 (Medium) - cvssV3_1 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N

Summary

Craft CMS Allows TOTP Token To Stay Valid After Use

References

URL	Tags
https://github.com/craftcms/cms/security/advisories/GHSA-wmx7-pw49-88jx	x_refsource_CONFIRM
https://github.com/craftcms/cms/commit/7c790fa5ad5a8cb8016cb6793ec3554c4c079e38	x_refsource_MISC
https://github.com/craftcms/cms/releases/tag/5.2.3	x_refsource_MISC
https://github.com/sbaresearch/advisories/tree/public/2024/SBA-ADV-20240617-01_CraftCMS_TOTP_Valid_After_Use	x_refsource_MISC

Impacted products

Vendor	Product
craftcms	cms

Show details on NVD website