GHSA-h6mp-mc7g-mg49

Опубликовано: 21 мая 2024

Источник: github

Github: Прошло ревью

CVSS3: 7.4

Описание

scheb/two-factor-bundle bypass two-factor authentication with unverified JWT trusted device token

Before version 3.7 the bundle is vulnerable to a security issue in JWT, which can be exploited by an attacker to generate trusted device cookies on their own, effectively by-passing two-factor authentication.

Ссылки

https://github.com/scheb/two-factor-bundle/issues/143
https://github.com/scheb/two-factor-bundle/commit/8890c1e47ae89e0ac6f8a40fd4bb4b91c2081aa7
https://github.com/FriendsOfPHP/security-advisories/blob/master/scheb/two-factor-bundle/2018-07-08.yaml

Пакеты

Наименование

scheb/two-factor-bundle

composer

Затронутые версииВерсия исправления

>= 3.0.0, < 3.7.0

3.7.0

7.4 High

CVSS3

Дефекты

CWE-287

7.4 High

CVSS3

Дефекты

CWE-287