CVE-2023-49075

Опубликовано: 28 нояб. 2023

Источник: nvd

CVSS3: 8.4

CVSS3: 7.2

EPSS Низкий

Описание

The Admin Classic Bundle provides a Backend UI for Pimcore. AdminBundle\Security\PimcoreUserTwoFactorCondition introduced in v11 disable the two factor authentication for all non-admin security firewalls. An authenticated user can access the system without having to provide the two factor credentials. This issue has been patched in version 1.2.2.

Ссылки

https://github.com/pimcore/admin-ui-classic-bundle/commit/e412b0597830ae564a604e2579eb40e76f7f0628
Patch
https://github.com/pimcore/admin-ui-classic-bundle/pull/345
Patch
Vendor Advisory
URL Repurposed
https://github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-9wwg-r3c7-4vfg
Patch
Vendor Advisory
https://patch-diff.githubusercontent.com/raw/pimcore/admin-ui-classic-bundle/pull/345.patch
Patch
Vendor Advisory
https://github.com/pimcore/admin-ui-classic-bundle/commit/e412b0597830ae564a604e2579eb40e76f7f0628
Patch
https://github.com/pimcore/admin-ui-classic-bundle/pull/345
Patch
Vendor Advisory
URL Repurposed
https://github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-9wwg-r3c7-4vfg
Patch
Vendor Advisory
https://patch-diff.githubusercontent.com/raw/pimcore/admin-ui-classic-bundle/pull/345.patch
Patch
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:pimcore:admin_classic_bundle:*:*:*:*:*:pimcore:*:*

Версия до 1.2.2 (исключая)

EPSS

Процентиль: 1%

0.00013

Низкий

8.4 High

CVSS3

7.2 High

CVSS3

Дефекты

CWE-308

Связанные уязвимости

GHSA-9wwg-r3c7-4vfg

CVSS3: 8.4

github

около 2 лет назад

Pimcore Admin UI has Two Factor Authentication disabled for non admin security firewalls

EPSS

Процентиль: 1%

0.00013

Низкий

8.4 High

CVSS3

7.2 High

CVSS3

Дефекты

CWE-308