CVE-2022-24857

django-mfa3 is a library that implements multi factor authentication for the django web framework. It achieves this by modifying the regular login view. Django however has a second login view for its admin area. This second login view was not modified, so the multi factor authentication can be bypassed. Users are affected if they have activated both django-mfa3 (< 0.5.0) and django.contrib.admin and have not taken any other measures to prevent users from accessing the admin login view. The issue has been fixed in django-mfa3 0.5.0. It is possible to work around the issue by overwriting the admin login route, e.g. by adding the following URL definition *before* the admin routes: url('admin/login/', lambda request: redirect(settings.LOGIN_URL)

CVSS v3 8.8 HIGH
CVSS v2.0 6.5 MEDIUM

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

6.5^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:P/I:P/A:P

Exploitability : 8.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://github.com/xi/django-mfa3/blob/main/CHANGES.md#050-2022-04-15	Release Notes Third Party Advisory
https://github.com/xi/django-mfa3/commit/32f656e22df120b84bdf010e014bb19bd97971de	Patch Third Party Advisory
https://github.com/xi/django-mfa3/security/advisories/GHSA-3r7g-wrpr-j5g4	Third Party Advisory
https://security.netapp.com/advisory/ntap-20220609-0003/	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:django-mfa3_project:django-mfa3:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2022-04-15 19:15

Updated : 2024-02-28 19:09

NVD link : CVE-2022-24857

Mitre link : CVE-2022-24857

CVE.ORG link : CVE-2022-24857

JSON object : View

Products Affected

django-mfa3_project

django-mfa3

CWE

CWE-287

Improper Authentication

{"id": "CVE-2022-24857", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.1}]}, "published": "2022-04-15T19:15:12.447", "references": [{"url": "https://github.com/xi/django-mfa3/blob/main/CHANGES.md#050-2022-04-15", "tags": ["Release Notes", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/xi/django-mfa3/commit/32f656e22df120b84bdf010e014bb19bd97971de", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/xi/django-mfa3/security/advisories/GHSA-3r7g-wrpr-j5g4", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://security.netapp.com/advisory/ntap-20220609-0003/", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-287"}]}, {"type": "Secondary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-287"}]}], "descriptions": [{"lang": "en", "value": "django-mfa3 is a library that implements multi factor authentication for the django web framework. It achieves this by modifying the regular login view. Django however has a second login view for its admin area. This second login view was not modified, so the multi factor authentication can be bypassed. Users are affected if they have activated both django-mfa3 (< 0.5.0) and django.contrib.admin and have not taken any other measures to prevent users from accessing the admin login view. The issue has been fixed in django-mfa3 0.5.0. It is possible to work around the issue by overwriting the admin login route, e.g. by adding the following URL definition *before* the admin routes: url('admin/login/', lambda request: redirect(settings.LOGIN_URL)"}, {"lang": "es", "value": "django-mfa3 es una librer\u00eda que implementa la autenticaci\u00f3n multifactor para el framework web django. Lo consigue al modificar la visualizaci\u00f3n de inicio de sesi\u00f3n normal. Sin embargo, Django presenta una segunda visualizaci\u00f3n de inicio de sesi\u00f3n para su \u00e1rea de administraci\u00f3n. Esta segunda visualizaci\u00f3n de inicio de sesi\u00f3n no fue modificada, por lo que la autenticaci\u00f3n multifactor puede ser omitida. Los usuarios est\u00e1n afectados si han activado tanto django-mfa3 (versiones anteriores a 0.5.0) como django.contrib.admin y no han tomado ninguna otra medida para evitar que los usuarios accedan a la visualizaci\u00f3n de inicio de sesi\u00f3n del administrador. El problema ha sido corregido en django-mfa3 versi\u00f3n 0.5.0. Es posible mitigar el problema al sobrescribir la ruta de inicio de sesi\u00f3n del administrador, por ejemplo, al a\u00f1adir la siguiente definici\u00f3n de URL *before* de las rutas del administrador: url(\"admin/login/\", lambda request: redirect(settings.LOGIN_URL)"}], "lastModified": "2023-02-03T17:38:14.897", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:django-mfa3_project:django-mfa3:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A5924974-0076-41F8-AADF-B90D308B5B10", "versionEndExcluding": "0.5.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}