GHSA-wmx7-pw49-88jx

Source

https://github.com/advisories/GHSA-wmx7-pw49-88jx

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-wmx7-pw49-88jx/GHSA-wmx7-pw49-88jx.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-wmx7-pw49-88jx

Aliases

CVE-2024-41800

Published

2024-07-25T17:58:01Z

Modified

2024-07-26T21:50:01.875030Z

Severity

4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N CVSS Calculator
6.0 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

Craft CMS Allows TOTP Token To Stay Valid After Use

Details

Craft CMS 5 allows reuse of TOTP tokens multiple times within the validity period.

Impact

An attacker is able to re-submit a valid TOTP token to establish an authenticated session. This requires that the attacker has knowledge of the victim's credentials.

A TOTP token can be used multiple times to establish an authenticated session. RFC 6238 insists that an OTP must not be used more than once.

The verifier MUST NOT accept the second attempt of the OTP after the successful validation has been issued for the first OTP, which ensures one-time only use of an OTP.

The OWASP Application Security Verification Standard v4.0.3 (ASVS) reiterates this property with requirement 2.8.4.

Verify that time-based OTP can be used only once within the validity period.

It should also be noted that the validity period of an TOTP token is 2 minutes. This makes a successful brute force attack more likely, since the four tokens are valid at the same time.

Patches

This has been patched in Craft 5.2.3.

References:

https://github.com/sbaresearch/advisories/tree/public/2024/SBA-ADV 2024061701CraftCMSTOTPValidAfter_Use

https://github.com/craftcms/cms/releases/tag/5.2.3

References

Affected packages

Packagist / craftcms/cms

Package

Name: craftcms/cms
Purl: pkg:composer/craftcms/cms

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0-beta.1

Fixed

5.2.3

Affected versions

5.*

5.0.0-beta.1

5.0.0-beta.2

5.0.0-beta.3

5.0.0-beta.4

5.0.0-beta.5

5.0.0-beta.6

5.0.0-beta.7

5.0.0-beta.8

5.0.0-beta.9

5.0.0-beta.10

5.0.0-beta.11

5.0.0-RC1

5.0.0

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.0.6

5.1.0

5.1.1

5.1.2

5.1.3

5.1.4

5.1.5

5.1.6

5.1.7

5.1.8

5.1.9

5.1.10

5.2.0-beta.1

5.2.0-beta.2

5.2.0-beta.3

5.2.0-beta.4

5.2.0-beta.5

5.2.0-beta.6

5.2.0

5.2.1

5.2.2

Database specific

{
    "last_known_affected_version_range": "<= 5.2.2"
}