CVE-2025-47776

CRITICAL9.1EPSS 0.10%

MantisBT vulnerable to authentication bypass for some passwords due to PHP type juggling

發布日:2025/11/3修改日:2026/3/6
也稱為:GHSA-4v8w-gg5j-ph37

描述

Due to an incorrect use of loose (`==`) instead of strict (`===`) comparison in the [authentication code][1], PHP type juggling will cause interpretation of certain MD5 hashes as numbers, specifically those matching scientific notation. [1]: https://github.com/mantisbt/mantisbt/blob/0fb502dd613991e892ed2224ac5ea3e40ba632bc/core/authentication_api.php#L782 ### Impact On MantisBT instances configured to use the *MD5* login method, user accounts having a password hash evaluating to zero (i.e. matching regex `^0+[Ee][0-9]+$`) are vulnerable, allowing an attacker knowing the victim's username to login without knowledge of their actual password, using any other password having a hash evaluating to zero, for example `comito5` (0e579603064547166083907005281618). No password bruteforcing for individual users is needed, thus $g_max_failed_login_count does not protect against the attack. ### Patches * https://github.com/mantisbt/mantisbt/commit/966554a19cf1bdbcfbfb3004766979faa748f9a2 ### Workarounds Check the database for vulnerable accounts, and change those users' passwords, e.g. for MySQL: ```sql SELECT username, email FROM mantis_user_table WHERE password REGEXP '^0+[Ee][0-9]+$' ``` ### References - https://mantisbt.org/bugs/view.php?id=35967 ### Credits Thanks to Harry Sintonen / Reversec for discovering and reporting the issue.

受影響套件(1)

CVSS 分數

來源版本嚴重程度向量
osvCVSS 4.0CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N
osvCVSS 3.1CRITICAL9.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

參考連結(6)