Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

debian логотип

CVE-2021-28373

Опубликовано: 13 мар. 2021
Источник: debian
EPSS Низкий

Описание

The auth_internal plugin in Tiny Tiny RSS (aka tt-rss) before 2021-03-12 allows an attacker to log in via the OTP code without a valid password. NOTE: this issue only affected the git master branch for a short time. However, all end users are explicitly directed to use the git master branch in production. Semantic version numbers such as 21.03 appear to exist, but are automatically generated from the year and month. They are not releases.

Пакеты

ПакетСтатусВерсия исправленияРелизТип
tt-rssnot-affectedpackage

Примечания

  • https://community.tt-rss.org/t/check-password-not-called-if-otp-is-enabled-update-asap-if-youre-using-2fa/4502

  • Introduced by: https://git.tt-rss.org/fox/tt-rss/commit/3fd785654372d493c031d9b541ab33a881023a32

  • Fixed by: https://git.tt-rss.org/fox/tt-rss/commit/4949e1a59059d9e72ba7a98f783cec312c06c6d2

EPSS

Процентиль: 36%
0.00147
Низкий

Связанные уязвимости

ubuntu логотип

CVE-2021-28373

CVSS3: 7.5
ubuntu
почти 5 лет назад

The auth_internal plugin in Tiny Tiny RSS (aka tt-rss) before 2021-03-12 allows an attacker to log in via the OTP code without a valid password. NOTE: this issue only affected the git master branch for a short time. However, all end users are explicitly directed to use the git master branch in production. Semantic version numbers such as 21.03 appear to exist, but are automatically generated from the year and month. They are not releases.

nvd логотип

CVE-2021-28373

CVSS3: 7.5
nvd
почти 5 лет назад

The auth_internal plugin in Tiny Tiny RSS (aka tt-rss) before 2021-03-12 allows an attacker to log in via the OTP code without a valid password. NOTE: this issue only affected the git master branch for a short time. However, all end users are explicitly directed to use the git master branch in production. Semantic version numbers such as 21.03 appear to exist, but are automatically generated from the year and month. They are not releases.

github логотип

GHSA-vv4w-hr59-hmw6

CVSS3: 7.5
github
больше 3 лет назад

The auth_internal plugin in Tiny Tiny RSS (aka tt-rss) before 2021-03-12 allows an attacker to log in via the OTP code without a valid password. NOTE: this issue only affected the git master branch for a short time. However, all end users are explicitly directed to use the git master branch in production. Semantic version numbers such as 21.03 appear to exist, but are automatically generated from the year and month. They are not releases.

EPSS

Процентиль: 36%
0.00147
Низкий