CVE-2024-24771

{"id": "CVE-2024-24771", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 0.7}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.8, "exploitabilityScore": 1.3}]}, "published": "2024-02-07T15:15:08.283", "references": [{"url": "https://github.com/open-formulieren/open-forms/releases/tag/2.2.9", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/open-formulieren/open-forms/releases/tag/2.3.7", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/open-formulieren/open-forms/releases/tag/2.4.5", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/open-formulieren/open-forms/releases/tag/2.5.2", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/open-formulieren/open-forms/security/advisories/GHSA-64r3-x3gf-vp63", "tags": ["Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-287"}, {"lang": "en", "value": "CWE-654"}]}], "descriptions": [{"lang": "en", "value": "Open Forms allows users create and publish smart forms. Versions prior to 2.2.9, 2.3.7, 2.4.5, and 2.5.2 contain a non-exploitable multi-factor authentication weakness. Superusers who have their credentials (username + password) compromised could potentially have the second-factor authentication bypassed if an attacker somehow managed to authenticate to Open Forms. The maintainers of Open Forms do not believe it is or has been possible to perform this login. However, if this were possible, the victim's account may be abused to view (potentially sensitive) submission data or have been used to impersonate other staff accounts to view and/or modify data. Three mitigating factors to help prevent exploitation include: the usual login page (at `/admin/login/`) does not fully log in the user until the second factor was succesfully provided; the additional non-MFA protected login page at `/api/v2/api-authlogin/` was misconfigured and could not be used to log in; and there are no additional ways to log in. This also requires credentials of a superuser to be compromised to be exploitable. Versions 2.2.9, 2.3.7, 2.4.5, and 2.5.2 contain the following patches to address these weaknesses: Move and only enable the API auth endpoints (`/api/v2/api-auth/login/`) with `settings.DEBUG = True`. `settings.DEBUG = True` is insecure and should never be applied in production settings. Additionally, apply a custom permission check to the hijack flow to only allow second-factor-verified superusers to perform user hijacking."}, {"lang": "es", "value": "Open Forms permite a los usuarios crear y publicar formularios inteligentes. Las versiones anteriores a 2.2.9, 2.3.7, 2.4.5 y 2.5.2 contienen una debilidad de autenticaci\u00f3n multifactor no explotable. Los superusuarios que tienen sus credenciales (nombre de usuario + contrase\u00f1a) comprometidas podr\u00edan pasar por alto la autenticaci\u00f3n de segundo factor si un atacante de alguna manera logra autenticarse en Open Forms. Los mantenedores de Open Forms no creen que sea ni haya sido posible realizar este inicio de sesi\u00f3n. Sin embargo, si esto fuera posible, se podr\u00eda abusar de la cuenta de la v\u00edctima para ver datos de env\u00edo (potencialmente confidenciales) o haber sido utilizada para hacerse pasar por otras cuentas del personal para ver y/o modificar datos. Tres factores atenuantes para ayudar a prevenir la explotaci\u00f3n incluyen: la p\u00e1gina de inicio de sesi\u00f3n habitual (en `/admin/login/`) no inicia la sesi\u00f3n completa del usuario hasta que el segundo factor se proporciona con \u00e9xito; la p\u00e1gina de inicio de sesi\u00f3n adicional no protegida por MFA en `/api/v2/api-authlogin/` estaba mal configurada y no se pod\u00eda usar para iniciar sesi\u00f3n; y no hay formas adicionales de iniciar sesi\u00f3n. Esto tambi\u00e9n requiere que las credenciales de un superusuario est\u00e9n comprometidas para que sean explotables. Las versiones 2.2.9, 2.3.7, 2.4.5 y 2.5.2 contienen los siguientes parches para abordar estas debilidades: Mover y habilitar solo los endpoints de autenticaci\u00f3n API (`/api/v2/api-auth/login/`) con `settings.DEBUG = True`. `settings.DEBUG = True` es inseguro y nunca debe aplicarse en entornos de producci\u00f3n. Adem\u00e1s, aplique una verificaci\u00f3n de permiso personalizada al flujo de secuestro para permitir que solo los superusuarios verificados por un segundo factor realicen el secuestro de usuarios."}], "lastModified": "2024-02-15T05:01:22.213", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:maykinmedia:open_forms:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "161AEFCB-F079-472E-86A6-07D57D35E2B4", "versionEndExcluding": "2.2.9"}, {"criteria": "cpe:2.3:a:maykinmedia:open_forms:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D90A88F3-FA88-43D2-A0CC-CB07C72214B4", "versionEndExcluding": "2.3.7", "versionStartIncluding": "2.3.0"}, {"criteria": "cpe:2.3:a:maykinmedia:open_forms:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "13ADD1B0-57FD-4991-8B4A-2340EDEAADC5", "versionEndExcluding": "2.4.5", "versionStartIncluding": "2.4.0"}, {"criteria": "cpe:2.3:a:maykinmedia:open_forms:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0BCE6950-BEFB-4D6E-BB5D-99A16A9E0DC8", "versionEndExcluding": "2.5.2", "versionStartIncluding": "2.5.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}