ghsa-4v8w-gg5j-ph37
Vulnerability from github
Published
2025-11-03 17:07
Modified
2025-11-04 22:16
Severity ?
8.8 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N
Summary
MantisBT vulnerable to authentication bypass for some passwords due to PHP type juggling
Details

Due to an incorrect use of loose (==) instead of strict (===) comparison in the authentication code, PHP type juggling will cause interpretation of certain MD5 hashes as numbers, specifically those matching scientific notation.

Impact

On MantisBT instances configured to use the MD5 login method, user accounts having a password hash evaluating to zero (i.e. matching regex ^0+[Ee][0-9]+$) are vulnerable, allowing an attacker knowing the victim's username to login without knowledge of their actual password, using any other password having a hash evaluating to zero, for example comito5 (0e579603064547166083907005281618).

No password bruteforcing for individual users is needed, thus $g_max_failed_login_count does not protect against the attack.

Patches

Fixed in 2.27.2.

Workarounds

Check the database for vulnerable accounts, and change those users' passwords, e.g. for MySQL: sql SELECT username, email FROM mantis_user_table WHERE password REGEXP '^0+[Ee][0-9]+$'

Credits

Thanks to Harry Sintonen / Reversec for discovering and reporting the issue.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "mantisbt/mantisbt"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.27.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-47776"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-305",
      "CWE-697"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-11-03T17:07:36Z",
    "nvd_published_at": "2025-11-04T21:15:37Z",
    "severity": "HIGH"
  },
  "details": "Due to an incorrect use of loose (`==`) instead of strict (`===`) comparison in the [authentication code][1], PHP type juggling will cause interpretation of certain MD5 hashes as numbers, specifically those matching scientific notation.\n\n[1]: https://github.com/mantisbt/mantisbt/blob/0fb502dd613991e892ed2224ac5ea3e40ba632bc/core/authentication_api.php#L782\n\n### Impact\nOn MantisBT instances configured to use the *MD5* login method, user accounts having a password hash evaluating to zero (i.e. matching regex `^0+[Ee][0-9]+$`) are vulnerable, allowing an attacker knowing the victim\u0027s username to login without knowledge of their actual password, using any other password having a  hash evaluating to zero, for example `comito5` (0e579603064547166083907005281618). \n\nNo password bruteforcing for individual users is needed, thus $g_max_failed_login_count does not protect against the attack.\n\n### Patches\nFixed in 2.27.2.\n\n### Workarounds\nCheck the database for vulnerable accounts, and change those users\u0027 passwords, e.g. for MySQL:\n```sql\nSELECT username, email FROM mantis_user_table WHERE password REGEXP \u0027^0+[Ee][0-9]+$\u0027\n```\n\n### Credits\nThanks to Harry Sintonen / Reversec for discovering and reporting the issue.",
  "id": "GHSA-4v8w-gg5j-ph37",
  "modified": "2025-11-04T22:16:19Z",
  "published": "2025-11-03T17:07:36Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-4v8w-gg5j-ph37"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47776"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mantisbt/mantisbt/commit/966554a19cf1bdbcfbfb3004766979faa748f9a2"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mantisbt/mantisbt"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mantisbt/mantisbt/blob/0fb502dd613991e892ed2224ac5ea3e40ba632bc/core/authentication_api.php#L782"
    },
    {
      "type": "WEB",
      "url": "https://mantisbt.org/bugs/view.php?id=35967"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "MantisBT vulnerable to authentication bypass for some passwords due to PHP type juggling"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.