GHSA-4gm4-c4mh-4p7w

Suggest an improvement
Source
https://github.com/advisories/GHSA-4gm4-c4mh-4p7w
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-4gm4-c4mh-4p7w/GHSA-4gm4-c4mh-4p7w.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-4gm4-c4mh-4p7w
Aliases
  • CVE-2024-37893
Published
2024-06-17T22:28:28Z
Modified
2024-06-26T05:26:16.937422Z
Severity
  • 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Firefly III has a MFA bypass in oauth flow
Details

Impact

A MFA bypass in the Firefly III OAuth flow may allow malicious users to bypass the MFA-check. This allows malicious users to use password spraying to gain access to your Firefly III data using passwords stolen from other sources. As OAuth applications are easily enumerable using an incrementing id, an attacker could try sign an OAuth application up to a users profile quite easily if they have created one. The attacker would also need to know the victims username and password.

Patches

Problem has been patched in Firefly III v6.1.17 and up.

Workarounds

  • Use a unique password for your Firefly III instance,
  • Store your password securely, i.e. in a password manager or in your head.

References

  • https://owasp.org/www-community/attacks/PasswordSprayingAttack
  • https://www.menlosecurity.com/what-is/highly-evasive-adaptive-threats-heat/mfa-bypass
Database specific
{
    "nvd_published_at": "2024-06-17T20:15:13Z",
    "cwe_ids": [
        "CWE-287",
        "CWE-288"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-06-17T22:28:28Z"
}
References

Affected packages

Packagist / grumpydictator/firefly-iii

Package

Name
grumpydictator/firefly-iii
Purl
pkg:composer/grumpydictator/firefly-iii

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.1.17

Affected versions

3.*

3.0.0
3.0.1
3.0.2
3.0.3
3.1
3.1.1
3.1.2
3.1.3
3.1.4
3.1.5
3.1.6
3.2.0
3.2.1
3.2.2
3.2.3
3.2.4
3.2.5
3.3
3.3.1
3.3.2
3.3.3
3.3.4
3.3.5
3.3.6
3.3.7
3.3.8
3.3.9
3.4
3.4.0.1
3.4.0.2
3.4.0.3
3.4.0.4
3.4.0.5
3.4.0.6
3.4.0.7
3.4.0.8
3.4.0.9
3.4.0.10
3.4.1
3.4.2
3.4.3
3.4.4
3.4.4.1
3.4.4.2
3.4.5
3.4.6
3.4.6.1
3.4.7
3.4.8
3.4.9
3.4.10
3.4.11
3.5.0
3.5.1
3.5.2
3.5.3
3.5.4
3.5.5
3.5.6
3.5.6.1
3.6.0
3.6.1
3.7.0
3.7.1
3.7.2
3.7.2.1
3.7.2.2
3.7.2.3
3.8.0
3.8.1
3.8.2
3.8.3
3.8.4
3.9.0
3.9.1
3.10
3.10.1
3.10.2
3.10.3
3.10.4

4.*

4.0.0
4.0.1
4.0.2
4.1.0
4.1.1
4.1.2
4.1.3
4.1.4
4.1.5
4.1.6
4.1.7
4.2.0
4.2.1
4.2.2
4.3.0
4.3.1
4.3.2
4.3.3
4.3.4
4.3.5
4.3.6
4.3.7
4.3.8
4.4.0
4.4.1
4.4.2
4.4.3
4.5.0
4.6.0
4.6.1
4.6.2
4.6.3
4.6.3.1
4.6.4
4.6.5
4.6.6
4.6.7
4.6.8
4.6.9
4.6.10
4.6.11
4.6.11.1
4.6.12
4.6.13
4.7.0
4.7.1
4.7.1.1
4.7.1.2
4.7.1.3
4.7.1.4
4.7.2
4.7.2.1
4.7.2.2
4.7.3
4.7.3.1
4.7.3.2
4.7.4
4.7.5
4.7.5.1
4.7.5.2
4.7.5.3
4.7.6
4.7.6.1
4.7.6.2
4.7.7
4.7.8
4.7.9
4.7.10
4.7.11
4.7.12
4.7.12.1
4.7.13
4.7.14
4.7.15
4.7.16
4.7.17
4.7.17.1
4.7.17.2
4.7.17.3
4.7.17.4
4.7.17.5
4.7.17.6
4.8.0
4.8.0.1
4.8.0.2
4.8.0.3
4.8.1
4.8.1.1
4.8.1.2
4.8.1.3
4.8.1.4
4.8.1.5
4.8.1.6
4.8.1.7
4.8.1.8
4.8.2-alpha.1
4.8.2-alpha.2
4.8.2-alpha.3
4.8.2-alpha.4
4.8.2-alpha.5
4.8.2-alpha.6
4.8.2-beta.1
4.8.2-beta.2
4.8.2
4.8.3-alpha.1

5.*

5.0.0-alpha.1
5.0.0-alpha.2
5.0.0-beta.1
5.0.0
5.0.1
5.0.2
5.0.3
5.0.4
5.0.5
5.1.0-alpha.1
5.1.0-beta.1
5.1.0
5.1.1
5.2.0-alpha.1
5.2.0-beta.1
5.2.0
5.2.1
5.2.2
5.2.3
5.2.4
5.2.5
5.2.6
5.2.7
5.2.8
5.3.0-alpha.1
5.3.0-beta.1
5.3.0-beta.2
5.3.0
5.3.1
5.3.2
5.3.3
5.4.0-alpha.1
5.4.0-alpha.2
5.4.0-alpha.3
5.4.0-beta.1
5.4.0
5.4.1
5.4.2
5.4.3
5.4.4
5.4.5
5.4.6
5.5.0-beta.1
5.5.0-beta.2
5.5.0-beta.3
5.5.0
5.5.1
5.5.2
5.5.3
5.5.4
5.5.5
5.5.6
5.5.7
5.5.8
5.5.9
5.5.10
5.5.11
5.5.12
5.5.13
5.6.0-alpha.1
5.6.0-alpha.2
5.6.0
5.6.1
5.6.2
5.6.3
5.6.4
5.6.5
5.6.6
5.6.7
5.6.8
5.6.9
5.6.10
5.6.11
5.6.12
5.6.13
5.6.14
5.6.15
5.6.16
5.7.0
5.7.1
5.7.2
5.7.3
5.7.4
5.7.5
5.7.6
5.7.7
5.7.8
5.7.9
5.7.10
5.7.11
5.7.12
5.7.13
5.7.14
5.7.15
5.7.16
5.7.17
5.7.18
5.8.0-alpha.1

6.*

6.0.0-alpha.1
6.0.0-alpha.2
6.0.0-beta.1
6.0.9

v6.*

v6.0.0-beta.2
v6.0.0
v6.0.1
v6.0.2
v6.0.3
v6.0.4
v6.0.5
v6.0.6
v6.0.7
v6.0.8
v6.0.10
v6.0.11
v6.0.12
v6.0.13
v6.0.14
v6.0.15
v6.0.16
v6.0.17
v6.0.18
v6.0.19
v6.0.20
v6.0.21
v6.0.22
v6.0.23
v6.0.24
v6.0.25
v6.0.26
v6.0.27
v6.0.28
v6.0.29
v6.0.30
v6.1.0-alpha.1
v6.1.0
v6.1.1
v6.1.2
v6.1.3
v6.1.4
v6.1.5
v6.1.6
v6.1.7
v6.1.8
v6.1.9
v6.1.10
v6.1.11
v6.1.12
v6.1.13
v6.1.14
v6.1.15
v6.1.16