PT-2018-9533 · Privacyidea · Privacyidea

Renini

Published

2018-10-08

Updated

2019-01-14

CVE-2018-1000809

CVSS v4.0

8.7

High

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions privacyIDEA versions prior to 2.23.2

Description The issue is related to improper input validation in the token validation API, which can lead to a Denial-of-Service. This can be exploited via an HTTP request to the "/validate/check" API endpoint with specific parameters, such as user= and pass=.

Recommendations For versions prior to 2.23.2, update to version 2.23.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/validate/check" API endpoint until the update is applied. Avoid using the user and pass parameters in the affected API endpoint until the issue is resolved.

Exploit

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

CVE-2018-1000809

GHSA-7QQV-R2Q4-JXHM

PYSEC-2018-20

Affected Products

Privacyidea

PT-2018-9533 · Privacyidea · Privacyidea

CVE-2018-1000809

Weakness Enumeration

Related Identifiers

Affected Products

References · 9