GHSA-4gm4-c4mh-4p7w

Source

https://github.com/advisories/GHSA-4gm4-c4mh-4p7w

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-4gm4-c4mh-4p7w/GHSA-4gm4-c4mh-4p7w.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-4gm4-c4mh-4p7w

Aliases

CVE-2024-37893

Published

2024-06-17T22:28:28Z

Modified

2024-06-25T02:34:44.784573Z

Severity

5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Firefly III has a MFA bypass in oauth flow

Details

Impact

A MFA bypass in the Firefly III OAuth flow may allow malicious users to bypass the MFA-check. This allows malicious users to use password spraying to gain access to your Firefly III data using passwords stolen from other sources. As OAuth applications are easily enumerable using an incrementing id, an attacker could try sign an OAuth application up to a users profile quite easily if they have created one. The attacker would also need to know the victims username and password.

Patches

Problem has been patched in Firefly III v6.1.17 and up.

Workarounds

Use a unique password for your Firefly III instance,
Store your password securely, i.e. in a password manager or in your head.

References

https://owasp.org/www-community/attacks/PasswordSprayingAttack
https://www.menlosecurity.com/what-is/highly-evasive-adaptive-threats-heat/mfa-bypass

Database specific

{
    "nvd_published_at": "2024-06-17T20:15:13Z",
    "cwe_ids": [
        "CWE-287",
        "CWE-288"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-06-17T22:28:28Z"
}

References

Affected packages

Packagist / grumpydictator/firefly-iii

Package

Name: grumpydictator/firefly-iii
Purl: pkg:composer/grumpydictator/firefly-iii

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.1.17

Affected versions

3.*

3.0.0

3.0.1

3.0.2

3.0.3

3.1

3.1.1

3.1.2

3.1.3

3.1.4

3.1.5

3.1.6

3.2.0

3.2.1

3.2.2

3.2.3

3.2.4

3.2.5

3.3

3.3.1

3.3.2

3.3.3

3.3.4

3.3.5

3.3.6

3.3.7

3.3.8

3.3.9

3.4

3.4.0.1

3.4.0.2

3.4.0.3

3.4.0.4

3.4.0.5

3.4.0.6

3.4.0.7

3.4.0.8

3.4.0.9

3.4.0.10

3.4.1

3.4.2

3.4.3

3.4.4

3.4.4.1

3.4.4.2

3.4.5

3.4.6

3.4.6.1

3.4.7

3.4.8

3.4.9

3.4.10

3.4.11

3.5.0

3.5.1

3.5.2

3.5.3

3.5.4

3.5.5

3.5.6

3.5.6.1

3.6.0

3.6.1

3.7.0

3.7.1

3.7.2

3.7.2.1

3.7.2.2

3.7.2.3

3.8.0

3.8.1

3.8.2

3.8.3

3.8.4

3.9.0

3.9.1

3.10

3.10.1

3.10.2

3.10.3

3.10.4

4.*

4.0.0

4.0.1

4.0.2

4.1.0

4.1.1

4.1.2

4.1.3

4.1.4

4.1.5

4.1.6

4.1.7

4.2.0

4.2.1

4.2.2

4.3.0

4.3.1

4.3.2

4.3.3

4.3.4

4.3.5

4.3.6

4.3.7

4.3.8

4.4.0

4.4.1

4.4.2

4.4.3

4.5.0

4.6.0

4.6.1

4.6.2

4.6.3

4.6.3.1

4.6.4

4.6.5

4.6.6

4.6.7

4.6.8

4.6.9

4.6.10

4.6.11

4.6.11.1

4.6.12

4.6.13

4.7.0

4.7.1

4.7.1.1

4.7.1.2

4.7.1.3

4.7.1.4

4.7.2

4.7.2.1

4.7.2.2

4.7.3

4.7.3.1

4.7.3.2

4.7.4

4.7.5

4.7.5.1

4.7.5.2

4.7.5.3

4.7.6

4.7.6.1

4.7.6.2

4.7.7

4.7.8

4.7.9

4.7.10

4.7.11

4.7.12

4.7.12.1

4.7.13

4.7.14

4.7.15

4.7.16

4.7.17

4.7.17.1

4.7.17.2

4.7.17.3

4.7.17.4

4.7.17.5

4.7.17.6

4.8.0

4.8.0.1

4.8.0.2

4.8.0.3

4.8.1

4.8.1.1

4.8.1.2

4.8.1.3

4.8.1.4

4.8.1.5

4.8.1.6

4.8.1.7

4.8.1.8

4.8.2-alpha.1

4.8.2-alpha.2

4.8.2-alpha.3

4.8.2-alpha.4

4.8.2-alpha.5

4.8.2-alpha.6

4.8.2-beta.1

4.8.2-beta.2

4.8.2

4.8.3-alpha.1

5.*

5.0.0-alpha.1

5.0.0-alpha.2

5.0.0-beta.1

5.0.0

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.1.0-alpha.1

5.1.0-beta.1

5.1.0

5.1.1

5.2.0-alpha.1

5.2.0-beta.1

5.2.0

5.2.1

5.2.2

5.2.3

5.2.4

5.2.5

5.2.6

5.2.7

5.2.8

5.3.0-alpha.1

5.3.0-beta.1

5.3.0-beta.2

5.3.0

5.3.1

5.3.2

5.3.3

5.4.0-alpha.1

5.4.0-alpha.2

5.4.0-alpha.3

5.4.0-beta.1

5.4.0

5.4.1

5.4.2

5.4.3

5.4.4

5.4.5

5.4.6

5.5.0-beta.1

5.5.0-beta.2

5.5.0-beta.3

5.5.0

5.5.1

5.5.2

5.5.3

5.5.4

5.5.5

5.5.6

5.5.7

5.5.8

5.5.9

5.5.10

5.5.11

5.5.12

5.5.13

5.6.0-alpha.1

5.6.0-alpha.2

5.6.0

5.6.1

5.6.2

5.6.3

5.6.4

5.6.5

5.6.6

5.6.7

5.6.8

5.6.9

5.6.10

5.6.11

5.6.12

5.6.13

5.6.14

5.6.15

5.6.16

5.7.0

5.7.1

5.7.2

5.7.3

5.7.4

5.7.5

5.7.6

5.7.7

5.7.8

5.7.9

5.7.10

5.7.11

5.7.12

5.7.13

5.7.14

5.7.15

5.7.16

5.7.17

5.7.18

5.8.0-alpha.1

6.*

6.0.0-alpha.1

6.0.0-alpha.2

6.0.0-beta.1

6.0.9

v6.*

v6.0.0-beta.2

v6.0.0

v6.0.1

v6.0.2

v6.0.3

v6.0.4

v6.0.5

v6.0.6

v6.0.7

v6.0.8

v6.0.10

v6.0.11

v6.0.12

v6.0.13

v6.0.14

v6.0.15

v6.0.16

v6.0.17

v6.0.18

v6.0.19

v6.0.20

v6.0.21

v6.0.22

v6.0.23

v6.0.24

v6.0.25

v6.0.26

v6.0.27

v6.0.28

v6.0.29

v6.0.30

v6.1.0-alpha.1

v6.1.0

v6.1.1

v6.1.2

v6.1.3

v6.1.4

v6.1.5

v6.1.6

v6.1.7

v6.1.8

v6.1.9

v6.1.10

v6.1.11

v6.1.12

v6.1.13

v6.1.14

v6.1.15

v6.1.16