CVE-2023-49075 — Use of Single-factor Authentication in Admin-ui-classic-bundle

CWE-308 — Use of Single-factor Authentication4 documents4 sources

Severity

7.2HIGHNVD

CNA8.4

EPSS

0.0%

top 98.13%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Pimcore Admin-ui-classic-bundle Pimcore Admin Classic Bundle

Timeline

PublishedNov 28

Description

The Admin Classic Bundle provides a Backend UI for Pimcore. `AdminBundle\Security\PimcoreUserTwoFactorCondition` introduced in v11 disable the two factor authentication for all non-admin security firewalls. An authenticated user can access the system without having to provide the two factor credentials. This issue has been patched in version 1.2.2.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages3 packages

▶NVDpimcore/admin_classic_bundle< 1.2.2

▶CVEListV5pimcore/admin-ui-classic-bundle< 1.2.2

▶Packagistpimcore/admin-ui-classic-bundle< 1.2.2

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

CVEList

Pimcore Admin UI has Two Factor Authentication disabled for non admin security firewalls↗2023-11-28

▶

OSV

Pimcore Admin UI has Two Factor Authentication disabled for non admin security firewalls↗2023-11-27

▶

GHSA

Pimcore Admin UI has Two Factor Authentication disabled for non admin security firewalls↗2023-11-27

▶