CVE-2022-2818

HIGH8.8EPSS 1.5%

Cockpit Content Platform vulnerable to 2FA bypass

發布日:2022/8/16修改日:2024/2/16

描述

Cockpit Content Platform through version 2.2.1 is vulnerable to a two-factor authentication (2FA) bypass. The 2FA secret is disclosed in a JWT token after user logs into their account, allowing an attacker to bypass the 2FA code. A patch is available on the `develop` branch and is expected to be part of version 2.2.2.

受影響套件(1)

Packagist/cockpit-hq/cockpitfrom 0, < 2.2.2

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	HIGH8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

參考連結(4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-2818
PATCHhttps://github.com/cockpit-hq/cockpit
WEBhttps://github.com/cockpit-hq/cockpit/commit/4bee1b903ee20818f4a8ecb9d974b9536cc54cb4
WEBhttps://huntr.dev/bounties/ee27e5df-516b-4cf4-9f28-346d907b5491