CVE-2022-24857

Multi factor authentication bypass in django-mfa3

Severity Score

8.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

django-mfa3 is a library that implements multi factor authentication for the django web framework. It achieves this by modifying the regular login view. Django however has a second login view for its admin area. This second login view was not modified, so the multi factor authentication can be bypassed. Users are affected if they have activated both django-mfa3 (< 0.5.0) and django.contrib.admin and have not taken any other measures to prevent users from accessing the admin login view. The issue has been fixed in django-mfa3 0.5.0. It is possible to work around the issue by overwriting the admin login route, e.g. by adding the following URL definition *before* the admin routes: url('admin/login/', lambda request: redirect(settings.LOGIN_URL)

django-mfa3 es una librería que implementa la autenticación multifactor para el framework web django. Lo consigue al modificar la visualización de inicio de sesión normal. Sin embargo, Django presenta una segunda visualización de inicio de sesión para su área de administración. Esta segunda visualización de inicio de sesión no fue modificada, por lo que la autenticación multifactor puede ser omitida. Los usuarios están afectados si han activado tanto django-mfa3 (versiones anteriores a 0.5.0) como django.contrib.admin y no han tomado ninguna otra medida para evitar que los usuarios accedan a la visualización de inicio de sesión del administrador. El problema ha sido corregido en django-mfa3 versión 0.5.0. Es posible mitigar el problema al sobrescribir la ruta de inicio de sesión del administrador, por ejemplo, al añadir la siguiente definición de URL *before* de las rutas del administrador: url("admin/login/", lambda request: redirect(settings.LOGIN_URL)

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-02-10 CVE Reserved
2022-04-15 CVE Published
2023-12-05 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-287: Improper Authentication

CAPEC

References (4)

URL	Tag	Source
https://github.com/xi/django-mfa3/blob/main/CHANGES.md#050-2022-04-15	Release Notes
https://github.com/xi/django-mfa3/security/advisories/GHSA-3r7g-wrpr-j5g4	Third Party Advisory
https://security.netapp.com/advisory/ntap-20220609-0003	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://github.com/xi/django-mfa3/commit/32f656e22df120b84bdf010e014bb19bd97971de	2023-02-03

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Django-mfa3 Project Search vendor "Django-mfa3 Project"		Django-mfa3 Search vendor "Django-mfa3 Project" for product "Django-mfa3"				< 0.5.0 Search vendor "Django-mfa3 Project" for product "Django-mfa3" and version " < 0.5.0"		-		Affected