GHSA-rqg8-xjp2-pg9w
Suggest an improvement- Source
- https://github.com/advisories/GHSA-rqg8-xjp2-pg9w
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-rqg8-xjp2-pg9w/GHSA-rqg8-xjp2-pg9w.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-rqg8-xjp2-pg9w
- Aliases
- Published
- 2022-05-24T16:48:44Z
- Modified
- 2024-09-30T17:35:46.371381Z
- Severity
-
- 8.1 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- 9.2 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- LinOTP replay vulnerability with auto resynchronization enabled for TOTP token
- Details
-
LinOTP is prone to a replay attack with activated automatic resynchronization. This vulnerability may allow an attacker to successfully log in with OTP values recorded at a previous point in time.
This attack is only possible if automatic resynchronization is enabled for the TOTP token type. The automatic resynchronization is deactivated by default. All other tokens are unaffected.
- Database specific
{ "nvd_published_at": "2019-06-27T14:15:00Z", "cwe_ids": [ "CWE-294" ], "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2024-04-29T09:47:34Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2019-12887
- https://github.com/LinOTP/LinOTP/commit/6d28d93af59d2ce0d844a6a3282148064efc6ad8
- https://github.com/LinOTP/LinOTP
- https://github.com/pypa/advisory-database/tree/main/vulns/linotp/PYSEC-2019-103.yaml
- https://linotp.org/linotp-hotfix-autoresync.html
- https://www.linotp.org/CVE-2019-12887.txt
Affected packages
PyPI / linotp
Package
- Name
- linotp
- View open source insights on deps.dev
- Purl
- pkg:pypi/linotp