Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1ycWc4LXhqcDItcGc5d84AAhGF
LinOTP replay vulnerability with auto resynchronization enabled for TOTP token
LinOTP is prone to a replay attack with activated automatic resynchronization. This vulnerability may allow an attacker to successfully log in with OTP values recorded at a previous point in time.
This attack is only possible if automatic resynchronization is enabled for the TOTP token type. The automatic resynchronization is deactivated by default. All other tokens are unaffected.
Permalink: https://github.com/advisories/GHSA-rqg8-xjp2-pg9wJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1ycWc4LXhqcDItcGc5d84AAhGF
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: 19 days ago
CVSS Score: 8.1
CVSS vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-rqg8-xjp2-pg9w, CVE-2019-12887
References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-12887
- https://www.linotp.org/CVE-2019-12887.txt
- https://github.com/LinOTP/LinOTP/commit/6d28d93af59d2ce0d844a6a3282148064efc6ad8
- https://linotp.org/linotp-hotfix-autoresync.html
- https://github.com/advisories/GHSA-rqg8-xjp2-pg9w
Blast Radius: 0.0
Affected Packages
pypi:LinOTP
Dependent packages: 0Dependent repositories: 1
Downloads: 163 last month
Affected Version Ranges: < 2.10.5.3
Fixed in: 2.10.5.3
All affected versions:
All unaffected versions: 2.7.1, 2.7.2, 2.8.1, 2.9.1, 2.9.3, 2.11.1