Replay Attack Vulnerability in Django MFA2 by mkalioby
CVE-2022-42731

7.5HIGH

Key Information:

Vendor: Django-mfa2 Project
Status: Django-mfa2
Vendor: CVE Published:; 11 October 2022

What is CVE-2022-42731?

The Django MFA2 library, prior to version 2.5.1 and 2.6.x versions before 2.6.1, is susceptible to a replay attack that enables an unauthorized actor to register additional devices on behalf of a user. The flaw arises as the device registration challenge fails to invalidate post-usage, potentially allowing exploitation of this weakness for malicious purposes.

References

https://github.com/mkalioby/django-mfa2/blob/0936ea253354...

https://github.com/mkalioby/django-mfa2/releases/tag/v2.5...

https://github.com/mkalioby/django-mfa2/releases/tag/v2.6...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 11, 2022
Vulnerability Reserved
Oct 10, 2022

Django-mfa2 Project

What is CVE-2022-42731?

References

CVSS V3.1

Timeline