CVE-2022-2818

HIGH8.8EPSS 1.5%

Cockpit Content Platform vulnerable to 2FA bypass

Published: 8/16/2022Modified: 2/16/2024

Description

Cockpit Content Platform through version 2.2.1 is vulnerable to a two-factor authentication (2FA) bypass. The 2FA secret is disclosed in a JWT token after user logs into their account, allowing an attacker to bypass the 2FA code. A patch is available on the `develop` branch and is expected to be part of version 2.2.2.

Affected packages (1)

Packagist/cockpit-hq/cockpitfrom 0, < 2.2.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-2818
PATCHhttps://github.com/cockpit-hq/cockpit
WEBhttps://github.com/cockpit-hq/cockpit/commit/4bee1b903ee20818f4a8ecb9d974b9536cc54cb4
WEBhttps://huntr.dev/bounties/ee27e5df-516b-4cf4-9f28-346d907b5491