Headline
CVE-2022-23807: Security - PMASA-2022-1
An issue was discovered in phpMyAdmin 4.9 before 4.9.8 and 5.1 before 5.1.2. A valid user who is already authenticated to phpMyAdmin can manipulate their account to bypass two-factor authentication for future login instances.
Announcement-ID: PMASA-2022-1
Date: 2022-01-10
Summary
Two factor authentication bypass
Description
There is a sequence of actions a valid user can take that will allow them to bypass two factor authentication for that account. A user must first connect to phpMyAdmin (presumably using their two factor authentication method) in order to prepare their account for the bypass.
Note that a user is still able to disable two factor authentication through conventional means; this only addresses an unintentional security weakness in how phpMyAdmin processes a user’s two factor status.
Severity
We do not consider this vulnerability to be severe due to the steps required to prepare for the attack and access required. Further, as noted above, a user is permitted to disable two factor authentication through conventional means.
Affected Versions
phpMyAdmin versions of the 4.9 branch prior to 4.9.8 and 5.1 prior to 5.1.2 are affected.
Solution
Upgrade to phpMyAdmin 4.9.8, 5.1.2, or newer or apply patch listed below.
References
phpMyAdmin team member William Desportes discovered this weakness
Assigned CVE ids: CVE-2022-23807
CWE ids: CWE-661
Patches
The following commits have been made to fix this issue:
- ca54f1db050859eb8555875c6aa5d7796fdf4b32
More information
For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.
Related news
Gentoo Linux Security Advisory 202311-17 - Multiple vulnerabilities have been discovered in phpMyAdmin, the worst of which allows for denial of service. Versions greater than or equal to 5.2.0 are affected.