8.4
CVE-2023-49075
- EPSS 1.44%
- Veröffentlicht 28.11.2023 05:15:08
- Zuletzt bearbeitet 21.11.2024 08:32:46
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginPimcore Admin UI has Two Factor Authentication disabled for non admin security firewalls
The Admin Classic Bundle provides a Backend UI for Pimcore. `AdminBundle\Security\PimcoreUserTwoFactorCondition` introduced in v11 disable the two factor authentication for all non-admin security firewalls. An authenticated user can access the system without having to provide the two factor credentials. This issue has been patched in version 1.2.2.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Pimcore ≫ Admin Classic Bundle SwPlatformpimcore Version < 1.2.2
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 1.44% | 0.697 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.2 | 1.2 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
|
| security-advisories@github.com | 8.4 | 1.7 | 6 |
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
|
CWE-308 Use of Single-factor Authentication
The use of single-factor authentication can lead to unnecessary risk of compromise when compared with the benefits of a dual-factor authentication scheme.
https://github.com/pimcore/admin-ui-classic-bundle/commit/e412b0597830ae564a604e2579eb40e76f7f0628
https://github.com/pimcore/admin-ui-classic-bundle/pull/345
https://github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-9wwg-r3c7-4vfg
https://patch-diff.githubusercontent.com/raw/pimcore/admin-ui-classic-bundle/pull/345.patch