Описание
Komari vulnerable to 2FA Authentication Bypass
Summary
Logic error in 2FA verification condition allows bypass of two-factor authentication
Details
There is no way for Verify2Fa to return an error AND true as ok at the same time, any codes are considered as valid.
PoC
Use any 6 digits as 2FA code
Impact
Bypass 2FA Authentication
Ссылки
- https://github.com/komari-monitor/komari/security/advisories/GHSA-jhmr-57cj-q6g9
- https://github.com/komari-monitor/komari/commit/cc3d54bff4c6495beaa1c7483379cd04542c557f
- https://github.com/komari-monitor/komari/blob/bd5a6934e1b79a12cf1e6a9bba5372d0e04f3abc/api/login.go#L55
- https://github.com/komari-monitor/komari/releases/tag/1.0.4-fix1
Пакеты
Наименование
github.com/komari-monitor/komari
go
Затронутые версииВерсия исправления
< 0.0.0-20250809064056-cc3d54bff4c6
0.0.0-20250809064056-cc3d54bff4c6
8.5 High
CVSS4
Дефекты
CWE-287
8.5 High
CVSS4
Дефекты
CWE-287