PT-2024-33288 · Atlassian+1 · Confluence+3
Christian Flaßkamp
·
Published
2024-10-09
·
Updated
2024-10-11
·
CVE-2024-48942
CVSS v3.1
9.1
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Syracom Secure Login (2FA) plugin for Jira, Confluence, and Bitbucket versions 3.1.4.5 and earlier
Description
The issue allows remote attackers to easily brute-force the 2FA PIN via the "plugins/servlet/twofactor/public/pinvalidation" endpoint. The last 30 and the next 30 tokens are valid.
Recommendations
For versions 3.1.4.5 and earlier, as a temporary workaround, consider restricting access to the "plugins/servlet/twofactor/public/pinvalidation" endpoint until a patch is available.
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Bitbucket
Confluence
Jira
Syracom Secure Login