GHSA-4v8w-gg5j-ph37
Suggest an improvement- Source
- https://github.com/advisories/GHSA-4v8w-gg5j-ph37
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/11/GHSA-4v8w-gg5j-ph37/GHSA-4v8w-gg5j-ph37.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-4v8w-gg5j-ph37
- Aliases
- Published
- 2025-11-03T17:07:36Z
- Modified
- 2025-11-05T00:58:09.723101Z
- Severity
-
- 8.8 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- MantisBT vulnerable to authentication bypass for some passwords due to PHP type juggling
- Details
-
Due to an incorrect use of loose (
==) instead of strict (===) comparison in the authentication code, PHP type juggling will cause interpretation of certain MD5 hashes as numbers, specifically those matching scientific notation.Impact
On MantisBT instances configured to use the MD5 login method, user accounts having a password hash evaluating to zero (i.e. matching regex
^0+[Ee][0-9]+$) are vulnerable, allowing an attacker knowing the victim's username to login without knowledge of their actual password, using any other password having a hash evaluating to zero, for examplecomito5(0e579603064547166083907005281618).No password bruteforcing for individual users is needed, thus $gmaxfailedlogincount does not protect against the attack.
Patches
Fixed in 2.27.2.
Workarounds
Check the database for vulnerable accounts, and change those users' passwords, e.g. for MySQL:
SELECT username, email FROM mantis_user_table WHERE password REGEXP '^0+[Ee][0-9]+$'Credits
Thanks to Harry Sintonen / Reversec for discovering and reporting the issue.
- Database specific
{ "cwe_ids": [ "CWE-305", "CWE-697" ], "github_reviewed": true, "nvd_published_at": "2025-11-04T21:15:37Z", "severity": "HIGH", "github_reviewed_at": "2025-11-03T17:07:36Z" }- References
-
- https://github.com/mantisbt/mantisbt/security/advisories/GHSA-4v8w-gg5j-ph37
- https://nvd.nist.gov/vuln/detail/CVE-2025-47776
- https://github.com/mantisbt/mantisbt/commit/966554a19cf1bdbcfbfb3004766979faa748f9a2
- https://github.com/mantisbt/mantisbt
- https://github.com/mantisbt/mantisbt/blob/0fb502dd613991e892ed2224ac5ea3e40ba632bc/core/authentication_api.php#L782
- https://mantisbt.org/bugs/view.php?id=35967
Affected packages
Packagist / mantisbt/mantisbt
Package
- Name
- mantisbt/mantisbt
- Purl
- pkg:composer/mantisbt/mantisbt
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.27.2