PT-2018-9533 · Privacyidea · Privacyidea
Renini
·
Publicado
2018-10-08
·
Atualizado
2019-01-14
·
CVE-2018-1000809
CVSS v4.0
8.7
Alta
| Vetor | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
privacyIDEA versions prior to 2.23.2
Description
The issue is related to improper input validation in the token validation API, which can lead to a Denial-of-Service. This can be exploited via an HTTP request to the "/validate/check" API endpoint with specific parameters, such as
user= and pass=.Recommendations
For versions prior to 2.23.2, update to version 2.23.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/validate/check" API endpoint until the update is applied. Avoid using the
user and pass parameters in the affected API endpoint until the issue is resolved.Exploit
Correção
RCE
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Privacyidea