CVE-2023-49075

The Admin Classic Bundle provides a Backend UI for Pimcore. `AdminBundle\Security\PimcoreUserTwoFactorCondition` introduced in v11 disable the two factor authentication for all non-admin security firewalls. An authenticated user can access the system without having to provide the two factor credentials. This issue has been patched in version 1.2.2.

CVSS v3 7.2 HIGH

7.2^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/pimcore/admin-ui-classic-bundle/commit/e412b0597830ae564a604e2579eb40e76f7f0628	Patch
https://github.com/pimcore/admin-ui-classic-bundle/pull/345	Patch URL Repurposed Vendor Advisory
https://github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-9wwg-r3c7-4vfg	Patch Vendor Advisory
https://patch-diff.githubusercontent.com/raw/pimcore/admin-ui-classic-bundle/pull/345.patch	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:pimcore:admin_classic_bundle:*:*:*:*:*:pimcore:*:*

History

No history.

Information

Published : 2023-11-28 05:15

Updated : 2023-12-04 17:53

NVD link : CVE-2023-49075

Mitre link : CVE-2023-49075

CVE.ORG link : CVE-2023-49075

JSON object : View

Products Affected

pimcore

admin_classic_bundle

CWE

CWE-308

Use of Single-factor Authentication

{"id": "CVE-2023-49075", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.2}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 1.7}]}, "published": "2023-11-28T05:15:08.160", "references": [{"url": "https://github.com/pimcore/admin-ui-classic-bundle/commit/e412b0597830ae564a604e2579eb40e76f7f0628", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/pimcore/admin-ui-classic-bundle/pull/345", "tags": ["Patch", "URL Repurposed", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-9wwg-r3c7-4vfg", "tags": ["Patch", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://patch-diff.githubusercontent.com/raw/pimcore/admin-ui-classic-bundle/pull/345.patch", "tags": ["Patch", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-308"}]}], "descriptions": [{"lang": "en", "value": "The Admin Classic Bundle provides a Backend UI for Pimcore. `AdminBundle\\Security\\PimcoreUserTwoFactorCondition` introduced in v11 disable the two factor authentication for all non-admin security firewalls. An authenticated user can access the system without having to provide the two factor credentials. This issue has been patched in version 1.2.2.\n\n"}, {"lang": "es", "value": "El paquete Admin Classic proporciona una interfaz de usuario backend para Pimcore. `AdminBundle\\Security\\PimcoreUserTwoFactorCondition` introducido en v11 deshabilita la autenticaci\u00f3n de dos factores para todos los firewalls de seguridad que no sean de administrador. Un usuario autenticado puede acceder al sistema sin tener que proporcionar credenciales de dos factores. Este problema se solucion\u00f3 en la versi\u00f3n 1.2.2."}], "lastModified": "2023-12-04T17:53:15.497", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:pimcore:admin_classic_bundle:*:*:*:*:*:pimcore:*:*", "vulnerable": true, "matchCriteriaId": "6FC10AB5-C7AE-40CF-BC49-6F46432ED1B4", "versionEndExcluding": "1.2.2"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}