[Bug 1195017] New: VUL-1: CVE-2022-23807: phpMyAdmin: Two factor authentication bypass (PMASA-2022-1)
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1195017 Bug ID: 1195017 Summary: VUL-1: CVE-2022-23807: phpMyAdmin: Two factor authentication bypass (PMASA-2022-1) Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.3 Hardware: Other OS: Other Status: NEW Severity: Minor Priority: P5 - None Component: Security Assignee: chris@computersalat.de Reporter: Andreas.Stieger@gmx.de QA Contact: security-team@suse.de CC: chris@computersalat.de, lang@b1-systems.de Found By: --- Blocker: --- It was discovered that version of phpMyAdmin prior to 4.9.8 and 5.1.2 are subject to a bypass of two-factor authentication. There is a sequence of actions a valid user can take that will allow them to bypass two factor authentication for that account. A user must first connect to phpMyAdmin (presumably using their two factor authentication method) in order to prepare their account for the bypass. Note that a user is still able to disable two factor authentication through conventional means; this only addresses an unintentional security weakness in how phpMyAdmin processes a user's two factor status. References: https://www.phpmyadmin.net/security/PMASA-2022-1/ https://github.com/phpmyadmin/phpmyadmin/commit/ca54f1db050859eb8555875c6aa5... -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1195017
Andreas Stieger
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1195017
http://bugzilla.opensuse.org/show_bug.cgi?id=1195017#c1
Eric Schirra
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1195017
http://bugzilla.opensuse.org/show_bug.cgi?id=1195017#c2
--- Comment #2 from OBSbugzilla Bot
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1195017
http://bugzilla.opensuse.org/show_bug.cgi?id=1195017#c5
Eric Schirra
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1195017
http://bugzilla.opensuse.org/show_bug.cgi?id=1195017#c6
Andreas Stieger
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1195017
http://bugzilla.opensuse.org/show_bug.cgi?id=1195017#c7
Andreas Stieger
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1195017
http://bugzilla.opensuse.org/show_bug.cgi?id=1195017#c8
--- Comment #8 from OBSbugzilla Bot
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1195017
http://bugzilla.opensuse.org/show_bug.cgi?id=1195017#c9
Andreas Stieger
participants (1)
-
bugzilla_noreply@suse.com