New subject: [Bug 1195017] VUL-1: CVE-2022-23807: phpMyAdmin: Two factor authentication bypass (PMASA-2022-1)

22 Jan 2022

      http://bugzilla.opensuse.org/show_bug.cgi?id=1195017

            Bug ID: 1195017
           Summary: VUL-1: CVE-2022-23807: phpMyAdmin: Two factor
                    authentication bypass (PMASA-2022-1)
    Classification: openSUSE
           Product: openSUSE Distribution
           Version: Leap 15.3
          Hardware: Other
                OS: Other
            Status: NEW
          Severity: Minor
          Priority: P5 - None
         Component: Security
          Assignee: chris@computersalat.de
          Reporter: Andreas.Stieger@gmx.de
        QA Contact: security-team@suse.de
                CC: chris@computersalat.de, lang@b1-systems.de
          Found By: ---
           Blocker: ---

It was discovered that version of phpMyAdmin prior to 4.9.8 and 5.1.2 are
subject to a bypass of two-factor authentication.

There is a sequence of actions a valid user can take that will allow them to
bypass two factor authentication for that account. A user must first connect to
phpMyAdmin (presumably using their two factor authentication method) in order
to prepare their account for the bypass.

Note that a user is still able to disable two factor authentication through
conventional means; this only addresses an unintentional security weakness in
how phpMyAdmin processes a user's two factor status.

References:
https://www.phpmyadmin.net/security/PMASA-2022-1/
https://github.com/phpmyadmin/phpmyadmin/commit/ca54f1db050859eb8555875c6aa5...

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug 1195017] New: VUL-1: CVE-2022-23807: phpMyAdmin: Two factor authentication bypass (PMASA-2022-1)

bugzilla_noreply＠suse.com

bugzilla_noreply＠suse.com

bugzilla_noreply＠suse.com

bugzilla_noreply＠suse.com

bugzilla_noreply＠suse.com

bugzilla_noreply＠suse.com

bugzilla_noreply＠suse.com

bugzilla_noreply＠suse.com

bugzilla_noreply＠suse.com

tags

participants (1)