// For flags

CVE-2024-52598

2FAuth vulnerable to Server Side Request Forgery + URI validation bypass in 2fauth /api/v1/twofaccounts/preview

Severity Score

7.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Attend
*SSVC
Descriptions

2FAuth is a web app to manage Two-Factor Authentication (2FA) accounts and generate their security codes. Two interconnected vulnerabilities exist in version 5.4.1 a SSRF and URI validation bypass issue. The endpoint at POST /api/v1/twofaccounts/preview allows setting a remote URI to retrieve the image of a 2fa site. By abusing this functionality, it is possible to force the application to make a GET request to an arbitrary URL, whose content will be stored in an image file in the server if it looks like an image. Additionally, the library does some basic validation on the URI, attempting to filter our URIs which do not have an image extension. However, this can be easily bypassed by appending the string `#.svg` to the URI. The combination of these two issues allows an attacker to retrieve URIs accessible from the application, as long as their content type is text based. If not, the request is still sent, but the response is not reflected to the attacker. Version 5.4.1 fixes the issues.

2FAuth es una aplicación web para administrar cuentas de autenticación de dos factores (2FA) y generar sus códigos de seguridad. Existen dos vulnerabilidades interconectadas en la versión 5.4.1: un problema de omisión de validación de SSRF y URI. El endpoint en POST /api/v1/twofaccounts/preview permite configurar una URI remota para recuperar la imagen de un sitio 2fa. Al abusar de esta funcionalidad, es posible forzar a la aplicación a realizar una solicitud GET a una URL arbitraria, cuyo contenido se almacenará en un archivo de imagen en el servidor si parece una imagen. Además, la biblioteca realiza una validación básica en la URI, intentando filtrar nuestras URI que no tienen una extensión de imagen. Sin embargo, esto se puede omitir fácilmente agregando la cadena `#.svg` a la URI. La combinación de estos dos problemas permite a un atacante recuperar URI accesibles desde la aplicación, siempre que su tipo de contenido esté basado en texto. Si no, la solicitud se envía de todos modos, pero la respuesta no se refleja al atacante. La versión 5.4.1 corrige los problemas.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:Attend
Exploitation
Poc
Automatable
Yes
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2024-11-14 CVE Reserved
  • 2024-11-20 CVE Published
  • 2024-11-20 CVE Updated
  • 2024-11-21 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
  • CWE-918: Server-Side Request Forgery (SSRF)
CAPEC
References (1)
URL Tag Source
https://github.com/Bubka/2FAuth/security/advisories/GHSA-xwxc-w7v3-2p4j X_refsource_confirm
URL Date SRC
URL Date SRC
URL Date SRC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Bubka
Search vendor "Bubka"
 2FAuth
Search vendor "Bubka" for product "2FAuth"
 < 5.4.1
Search vendor "Bubka" for product "2FAuth" and version " < 5.4.1"
en
Affected