ghsa-wmx7-pw49-88jx
Vulnerability from github
6.0 (Medium) - CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
Craft CMS 5 allows reuse of TOTP tokens multiple times within the validity period.
Impact
An attacker is able to re-submit a valid TOTP token to establish an authenticated session. This requires that the attacker has knowledge of the victim's credentials.
A TOTP token can be used multiple times to establish an authenticated session. RFC 6238 insists that an OTP must not be used more than once.
The verifier MUST NOT accept the second attempt of the OTP after the successful validation has been issued for the first OTP, which ensures one-time only use of an OTP.
The OWASP Application Security Verification Standard v4.0.3 (ASVS) reiterates this property with requirement 2.8.4.
Verify that time-based OTP can be used only once within the validity period.
It should also be noted that the validity period of an TOTP token is 2 minutes. This makes a successful brute force attack more likely, since the four tokens are valid at the same time.
Patches
This has been patched in Craft 5.2.3.
References:
https://github.com/sbaresearch/advisories/tree/public/2024/SBA-ADV 2024061701_CraftCMS_TOTP_Valid_After_Use
https://github.com/craftcms/cms/releases/tag/5.2.3
{ "affected": [ { "database_specific": { "last_known_affected_version_range": "\u003c= 5.2.2" }, "package": { "ecosystem": "Packagist", "name": "craftcms/cms" }, "ranges": [ { "events": [ { "introduced": "5.0.0-beta.1" }, { "fixed": "5.2.3" } ], "type": "ECOSYSTEM" } ] } ], "aliases": [ "CVE-2024-41800" ], "database_specific": { "cwe_ids": [ "CWE-287" ], "github_reviewed": true, "github_reviewed_at": "2024-07-25T17:58:01Z", "nvd_published_at": "2024-07-25T17:15:11Z", "severity": "MODERATE" }, "details": "Craft CMS 5 allows reuse of TOTP tokens multiple times within the validity period.\n\n### Impact\n\nAn attacker is able to re-submit a valid TOTP token to establish an authenticated session. This requires that the attacker has knowledge of the victim\u0027s credentials.\n\nA TOTP token can be used multiple times to establish an authenticated session.\n[RFC 6238](https://www.rfc-editor.org/rfc/rfc6238) insists that an OTP must not be used more than once.\n\n\u003e The verifier MUST NOT accept the second attempt of the OTP after the successful validation has been issued for the first OTP, which ensures one-time only use of an OTP.\n\nThe OWASP Application Security Verification Standard v4.0.3 (ASVS) [reiterates\nthis property with requirement 2.8.4](https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md#v28-one-time-verifier).\n\n\u003e Verify that time-based OTP can be used only once within the validity period.\n\nIt should also be noted that the validity period of an TOTP token is 2 minutes. This makes a successful brute force attack more likely, since the four tokens are valid at the same time.\n\n### Patches\n\nThis has been patched in Craft 5.2.3.\n\nReferences:\n\nhttps://github.com/sbaresearch/advisories/tree/public/2024/SBA-ADV 2024061701_CraftCMS_TOTP_Valid_After_Use\n\nhttps://github.com/craftcms/cms/releases/tag/5.2.3", "id": "GHSA-wmx7-pw49-88jx", "modified": "2024-07-26T21:40:26Z", "published": "2024-07-25T17:58:01Z", "references": [ { "type": "WEB", "url": "https://github.com/craftcms/cms/security/advisories/GHSA-wmx7-pw49-88jx" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41800" }, { "type": "WEB", "url": "https://github.com/craftcms/cms/commit/7c790fa5ad5a8cb8016cb6793ec3554c4c079e38" }, { "type": "PACKAGE", "url": "https://github.com/craftcms/cms" }, { "type": "WEB", "url": "https://github.com/craftcms/cms/releases/tag/5.2.3" }, { "type": "WEB", "url": "https://github.com/sbaresearch/advisories/tree/public/2024/SBA-ADV-20240617-01_CraftCMS_TOTP_Valid_After_Use" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N", "type": "CVSS_V3" }, { "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "type": "CVSS_V4" } ], "summary": "Craft CMS Allows TOTP Token To Stay Valid After Use" }
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.