Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWg3NnItdmdmMy1qNnc1
October CMS auth bypass and account takeover
Impact
An attacker can exploit this vulnerability to bypass authentication using a specially crafted persist cookie.
- To exploit this vulnerability, an attacker must obtain a Laravel’s secret key for cookie encryption and signing.
- Due to the logic of how this mechanism works, a targeted user account must be logged in while
the attacker is exploiting the vulnerability. - Authorization via persist cookie not shown in access logs.
Patches
- Issue has been patched in Build 472 and v1.1.5
- Shortened patch instructions
Workarounds
Apply https://github.com/octobercms/library/commit/016a297b1bec55d2e53bc889458ed2cb5c3e9374 and https://github.com/octobercms/library/commit/5bd1a28140b825baebe6becd4f7562299d3de3b9 to your installation manually if you are unable to upgrade.
[Update 2022-01-20] Shortened patch instructions can be found here.
Recommendations
We recommend the following steps to make sure your server stays secure:
- Keep server OS and system software up to date.
- Keep October CMS software up to date.
- Use a multi-factor authentication plugin.
- Change the default backend URL or block public access to the backend area.
- Include the Roave/SecurityAdvisories Composer package to ensure that your application doesn't have installed dependencies with known security vulnerabilities.
References
Bugs found as part of Solar Security CMS Research. Credits to:
• Andrey Basarygin
• Andrey Guzei
• Mikhail Khramenkov
• Alexander Sidukov
• Maxim Teplykh
For more information
If you have any questions or comments about this advisory:
- Email us at [email protected]
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWg3NnItdmdmMy1qNnc1
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 3 years ago
Updated: almost 2 years ago
CVSS Score: 7.4
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Identifiers: GHSA-h76r-vgf3-j6w5, CVE-2021-29487
References:
- https://github.com/octobercms/october/security/advisories/GHSA-h76r-vgf3-j6w5
- https://github.com/octobercms/library/commit/016a297b1bec55d2e53bc889458ed2cb5c3e9374
- https://nvd.nist.gov/vuln/detail/CVE-2021-29487
- https://github.com/octobercms/library/commit/5bd1a28140b825baebe6becd4f7562299d3de3b9
- https://github.com/advisories/GHSA-h76r-vgf3-j6w5
Blast Radius: 18.7
Affected Packages
packagist:october/system
Dependent packages: 37Dependent repositories: 340
Downloads: 1,011,050 total
Affected Version Ranges: >= 1.1.1, < 1.1.5, < 1.0.472
Fixed in: 1.1.5, 1.0.472
All affected versions: 1.0.319, 1.0.320, 1.0.321, 1.0.322, 1.0.323, 1.0.324, 1.0.325, 1.0.326, 1.0.327, 1.0.328, 1.0.329, 1.0.330, 1.0.331, 1.0.332, 1.0.333, 1.0.334, 1.0.335, 1.0.336, 1.0.337, 1.0.338, 1.0.339, 1.0.340, 1.0.341, 1.0.342, 1.0.343, 1.0.344, 1.0.345, 1.0.346, 1.0.347, 1.0.348, 1.0.349, 1.0.350, 1.0.351, 1.0.352, 1.0.353, 1.0.354, 1.0.355, 1.0.356, 1.0.357, 1.0.358, 1.0.359, 1.0.360, 1.0.361, 1.0.362, 1.0.363, 1.0.364, 1.0.365, 1.0.366, 1.0.367, 1.0.368, 1.0.369, 1.0.370, 1.0.371, 1.0.372, 1.0.373, 1.0.374, 1.0.375, 1.0.376, 1.0.377, 1.0.378, 1.0.379, 1.0.380, 1.0.381, 1.0.382, 1.0.383, 1.0.384, 1.0.385, 1.0.386, 1.0.387, 1.0.388, 1.0.389, 1.0.390, 1.0.391, 1.0.392, 1.0.393, 1.0.394, 1.0.395, 1.0.396, 1.0.397, 1.0.398, 1.0.399, 1.0.400, 1.0.401, 1.0.402, 1.0.403, 1.0.404, 1.0.405, 1.0.406, 1.0.407, 1.0.408, 1.0.409, 1.0.410, 1.0.411, 1.0.412, 1.0.413, 1.0.414, 1.0.415, 1.0.416, 1.0.417, 1.0.418, 1.0.419, 1.0.420, 1.0.421, 1.0.422, 1.0.423, 1.0.424, 1.0.425, 1.0.426, 1.0.427, 1.0.428, 1.0.429, 1.0.430, 1.0.431, 1.0.432, 1.0.433, 1.0.434, 1.0.435, 1.0.436, 1.0.437, 1.0.438, 1.0.439, 1.0.440, 1.0.441, 1.0.442, 1.0.443, 1.0.444, 1.0.445, 1.0.446, 1.0.447, 1.0.448, 1.0.449, 1.0.450, 1.0.451, 1.0.452, 1.0.453, 1.0.454, 1.0.455, 1.0.456, 1.0.457, 1.0.458, 1.0.459, 1.0.460, 1.0.461, 1.0.462, 1.0.463, 1.0.464, 1.0.465, 1.0.466, 1.0.467, 1.0.468, 1.0.469, 1.0.470, 1.0.471, 1.1.1, 1.1.2, 1.1.3, 1.1.4
All unaffected versions: 1.0.472, 1.0.473, 1.0.474, 1.0.475, 1.0.476, 1.1.0, 1.1.5, 1.1.6, 1.1.9, 1.1.10, 1.1.11, 1.1.12