Bug ID 1195017
Summary VUL-1: CVE-2022-23807: phpMyAdmin: Two factor authentication bypass (PMASA-2022-1)
Classification openSUSE
Product openSUSE Distribution
Version Leap 15.3
Hardware Other
OS Other
Status NEW
Severity Minor
Priority P5 - None
Component Security
Assignee chris@computersalat.de
Reporter Andreas.Stieger@gmx.de
QA Contact security-team@suse.de
CC chris@computersalat.de, lang@b1-systems.de
Found By ---
Blocker --- 

It was discovered that version of phpMyAdmin prior to 4.9.8 and 5.1.2 are
subject to a bypass of two-factor authentication.

There is a sequence of actions a valid user can take that will allow them to
bypass two factor authentication for that account. A user must first connect to
phpMyAdmin (presumably using their two factor authentication method) in order
to prepare their account for the bypass.

Note that a user is still able to disable two factor authentication through
conventional means; this only addresses an unintentional security weakness in
how phpMyAdmin processes a user's two factor status.

References:
https://www.phpmyadmin.net/security/PMASA-2022-1/
https://github.com/phpmyadmin/phpmyadmin/commit/ca54f1db050859eb8555875c6aa5d7796fdf4b32

You are receiving this mail because: