[Bug 1195017] New: VUL-1: CVE-2022-23807: phpMyAdmin: Two factor authentication bypass (PMASA-2022-1)
http://bugzilla.opensuse.org/show_bug.cgi?id=1195017 Bug ID: 1195017 Summary: VUL-1: CVE-2022-23807: phpMyAdmin: Two factor authentication bypass (PMASA-2022-1) Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.3 Hardware: Other OS: Other Status: NEW Severity: Minor Priority: P5 - None Component: Security Assignee: chris@computersalat.de Reporter: Andreas.Stieger@gmx.de QA Contact: security-team@suse.de CC: chris@computersalat.de, lang@b1-systems.de Found By: --- Blocker: --- It was discovered that version of phpMyAdmin prior to 4.9.8 and 5.1.2 are subject to a bypass of two-factor authentication. There is a sequence of actions a valid user can take that will allow them to bypass two factor authentication for that account. A user must first connect to phpMyAdmin (presumably using their two factor authentication method) in order to prepare their account for the bypass. Note that a user is still able to disable two factor authentication through conventional means; this only addresses an unintentional security weakness in how phpMyAdmin processes a user's two factor status. References: https://www.phpmyadmin.net/security/PMASA-2022-1/ https://github.com/phpmyadmin/phpmyadmin/commit/ca54f1db050859eb8555875c6aa5... -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1195017 Andreas Stieger <Andreas.Stieger@gmx.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |ecsos@schirra.net Assignee|chris@computersalat.de |ecsos@schirra.net -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1195017 http://bugzilla.opensuse.org/show_bug.cgi?id=1195017#c1 Eric Schirra <ecsos@schirra.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CONFIRMED --- Comment #1 from Eric Schirra <ecsos@schirra.net> --- Request is on the way. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1195017 http://bugzilla.opensuse.org/show_bug.cgi?id=1195017#c2 --- Comment #2 from OBSbugzilla Bot <bwiedemann+obsbugzillabot@suse.com> --- This is an autogenerated message for OBS integration: This bug (1195017) was mentioned in https://build.opensuse.org/request/show/948088 Backports:SLE-12+Backports:SLE-15-SP1+Backports:SLE-15-SP2+Backports:SLE-15-SP3 / phpMyAdmin -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1195017 http://bugzilla.opensuse.org/show_bug.cgi?id=1195017#c5 Eric Schirra <ecsos@schirra.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|CONFIRMED |RESOLVED Resolution|--- |FIXED --- Comment #5 from Eric Schirra <ecsos@schirra.net> --- Tumbleweed is on 5.1.3 And Leap on 4.9.8 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1195017 http://bugzilla.opensuse.org/show_bug.cgi?id=1195017#c6 Andreas Stieger <Andreas.Stieger@gmx.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Version|Leap 15.3 |Leap 15.4 Resolution|FIXED |--- --- Comment #6 from Andreas Stieger <Andreas.Stieger@gmx.de> --- Not fixed in openSUSE:Backports:SLE-15-SP4:Update/phpMyAdmin -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1195017 http://bugzilla.opensuse.org/show_bug.cgi?id=1195017#c7 Andreas Stieger <Andreas.Stieger@gmx.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |IN_PROGRESS CC| |Andreas.Stieger@gmx.de Assignee|ecsos@schirra.net |security-team@suse.de --- Comment #7 from Andreas Stieger <Andreas.Stieger@gmx.de> --- submitted -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1195017 http://bugzilla.opensuse.org/show_bug.cgi?id=1195017#c8 --- Comment #8 from OBSbugzilla Bot <bwiedemann+obsbugzillabot@suse.com> --- This is an autogenerated message for OBS integration: This bug (1195017) was mentioned in https://build.opensuse.org/request/show/1065584 Backports:SLE-15-SP4 / phpMyAdmin -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1195017 http://bugzilla.opensuse.org/show_bug.cgi?id=1195017#c9 Andreas Stieger <Andreas.Stieger@gmx.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|IN_PROGRESS |RESOLVED Resolution|--- |FIXED --- Comment #9 from Andreas Stieger <Andreas.Stieger@gmx.de> --- done -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com