CVE-2022-24857

{"id": "CVE-2022-24857", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.1}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2022-04-15T19:15:12.447", "references": [{"url": "https://github.com/xi/django-mfa3/blob/main/CHANGES.md#050-2022-04-15", "tags": ["Release Notes", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/xi/django-mfa3/commit/32f656e22df120b84bdf010e014bb19bd97971de", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/xi/django-mfa3/security/advisories/GHSA-3r7g-wrpr-j5g4", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://security.netapp.com/advisory/ntap-20220609-0003/", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/xi/django-mfa3/blob/main/CHANGES.md#050-2022-04-15", "tags": ["Release Notes", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/xi/django-mfa3/commit/32f656e22df120b84bdf010e014bb19bd97971de", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/xi/django-mfa3/security/advisories/GHSA-3r7g-wrpr-j5g4", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://security.netapp.com/advisory/ntap-20220609-0003/", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-287"}]}, {"type": "Secondary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-287"}]}], "descriptions": [{"lang": "en", "value": "django-mfa3 is a library that implements multi factor authentication for the django web framework. It achieves this by modifying the regular login view. Django however has a second login view for its admin area. This second login view was not modified, so the multi factor authentication can be bypassed. Users are affected if they have activated both django-mfa3 (< 0.5.0) and django.contrib.admin and have not taken any other measures to prevent users from accessing the admin login view. The issue has been fixed in django-mfa3 0.5.0. It is possible to work around the issue by overwriting the admin login route, e.g. by adding the following URL definition *before* the admin routes: url('admin/login/', lambda request: redirect(settings.LOGIN_URL)"}, {"lang": "es", "value": "django-mfa3 es una librer\u00eda que implementa la autenticaci\u00f3n multifactor para el framework web django. Lo consigue al modificar la visualizaci\u00f3n de inicio de sesi\u00f3n normal. Sin embargo, Django presenta una segunda visualizaci\u00f3n de inicio de sesi\u00f3n para su \u00e1rea de administraci\u00f3n. Esta segunda visualizaci\u00f3n de inicio de sesi\u00f3n no fue modificada, por lo que la autenticaci\u00f3n multifactor puede ser omitida. Los usuarios est\u00e1n afectados si han activado tanto django-mfa3 (versiones anteriores a 0.5.0) como django.contrib.admin y no han tomado ninguna otra medida para evitar que los usuarios accedan a la visualizaci\u00f3n de inicio de sesi\u00f3n del administrador. El problema ha sido corregido en django-mfa3 versi\u00f3n 0.5.0. Es posible mitigar el problema al sobrescribir la ruta de inicio de sesi\u00f3n del administrador, por ejemplo, al a\u00f1adir la siguiente definici\u00f3n de URL *before* de las rutas del administrador: url(\"admin/login/\", lambda request: redirect(settings.LOGIN_URL)"}], "lastModified": "2024-11-21T06:51:14.910", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:django-mfa3_project:django-mfa3:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A5924974-0076-41F8-AADF-B90D308B5B10", "versionEndExcluding": "0.5.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}