ghsa-fg52-xjfc-9rh8
Vulnerability from github
Pterodactyl version 0.7.13 and lower - 2FA Sniffing
Users who have enabled 2FA protections on their account can unintentionally have their account's existence sniffed by malicious users who enter random credentials into the login fields.
Impact
Users who have enabled 2FA protections on their account can unintentionally have their account's existence sniffed by malicious users who enter random credentials into the login fields.
A logical mistake was made when the original code was written that would wait to verify the user's password until they had provided 2FA credentials if it was enabled on their account. However, because of this you could enter a bad password for a known email and determine if the account exists if you got redirected to a 2FA page.
For more information
If you have any questions or comments about this advisory please react out on Discord or email dane@[project name].io.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.7.13"
},
"package": {
"ecosystem": "Packagist",
"name": "pterodactyl/panel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.7.14"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-1020002"
],
"database_specific": {
"cwe_ids": [
"CWE-203"
],
"github_reviewed": true,
"github_reviewed_at": "2022-12-16T14:34:49Z",
"nvd_published_at": "2019-07-29T15:15:00Z",
"severity": "HIGH"
},
"details": "**Pterodactyl version 0.7.13 and lower - 2FA Sniffing**\n\nUsers who have enabled 2FA protections on their account can unintentionally have their account\u0027s existence sniffed by malicious users who enter random credentials into the login fields.\n\n### Impact\nUsers who have enabled 2FA protections on their account can unintentionally have their account\u0027s existence sniffed by malicious users who enter random credentials into the login fields.\n\nA logical mistake was made when the original code was written that would wait to verify the user\u0027s password until they had provided 2FA credentials if it was enabled on their account. However, because of this you could enter a bad password for a known email and determine if the account exists if you got redirected to a 2FA page.\n\n### For more information\nIf you have any questions or comments about this advisory please react out on Discord or email dane@[project name].io.",
"id": "GHSA-fg52-xjfc-9rh8",
"modified": "2022-12-16T14:34:49Z",
"published": "2022-05-24T16:51:37Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/pterodactyl/panel/security/advisories/GHSA-vcm9-hx3q-qwj8"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1020002"
},
{
"type": "WEB",
"url": "https://github.com/pterodactyl/panel/commit/092e7e79fff858ee026608c7dbccab165a67526f"
},
{
"type": "PACKAGE",
"url": "https://github.com/pterodactyl/panel"
},
{
"type": "WEB",
"url": "https://github.com/pterodactyl/panel/releases/tag/v0.7.14"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Pterodactyl vulnerable to 2FA Sniffing"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.