Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS04d2ozLWNwbXItOHdocM4AAuBb

High EPSS: 0.00716% (0.71479 Percentile) EPSS:
Permalink JSON

Cockpit Content Platform vulnerable to 2FA bypass

Affected Packages Affected Versions Fixed Versions
packagist:cockpit-hq/cockpit <= 2.2.1 2.2.2
0 Dependent packages
0 Dependent repositories
76 Downloads total

Affected Version Ranges

All affected versions

2.0.0, 2.0.1, 2.0.2, 2.1.0, 2.1.1, 2.1.2, 2.2.0, 2.2.1

All unaffected versions

2.2.2, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 2.3.7, 2.3.8, 2.3.9, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.7.0, 2.7.1, 2.7.2, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.8.5, 2.8.6, 2.9.0, 2.9.1, 2.9.2, 2.9.3, 2.9.4, 2.10.0, 2.10.1, 2.10.2, 2.10.3, 2.11.0, 2.11.1, 2.11.2, 2.11.3, 2.11.4

Cockpit Content Platform through version 2.2.1 is vulnerable to a two-factor authentication (2FA) bypass. The 2FA secret is disclosed in a JWT token after user logs into their account, allowing an attacker to bypass the 2FA code. A patch is available on the develop branch and is expected to be part of version 2.2.2.

References:

Identifiers

GHSA-8wj3-cpmr-8whp

CVE-2022-2818

Risk

Severity

High

EPSS

EPSS Percentage: 0.00716

EPSS Percentile: 0.71479

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/cockpit-hq/cockpit

Date and time

Published

almost 3 years ago

Updated

about 2 years ago

API

JSON