Headline
CVE-2023-1939: DEVO-2023-0009
No access control for the OTP key
on OTP entries
in Devolutions Remote Desktop Manager Windows 2022.3.33.0 and prior versions and Remote Desktop Manager Linux 2022.3.2.0 and prior versions allows non admin users to see OTP keys via the user interface.
Security & Compliance Reporting a Security Issue Advisories
Affected Products
Remote Desktop Manager
Change Log
Initial Publication - 2023-04-11
Product
Remote Desktop Manager
Fix Version
RDMW 2022.3.34.0, RDML 2022.3.2.1
Summary
Remote Desktop Manager is affected by multiple security vulnerabilities.
Two factor authentication bypass
Description
Two factor authentication bypass on login in Devolutions Remote Desktop Manager 2022.3.35 and earlier allow user to cancel the two factor authentication via the application user interface and open entries.
Remediation and Workarounds
Upgrade to Remote Desktop Manager to 2022.3.36 and higher
Severity
Medium - 4.4 CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N
Affected Products
Remote Desktop Manager 2022.3.35 and earlier
No access control for the OTP key on OTP entries
Description
No access control for the OTP key on OTP entries in Devolutions Remote Desktop Manager Windows 2022.3.33.0 and prior versions and Remote Desktop Manager Linux 2022.3.2.0 and prior versions allows non admin users to see OTP keys via the user interface.
Remediation and Workarounds
Upgrade to Remote Desktop Manager Windows to 2022.3.34 and higher
Upgrade to Remote Desktop Manager Linux to 2022.3.2.1 and higher
Severity
Medium (4.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
Affected Products
Remote Desktop Manager Windows 2022.3.23.0 and earlier Remote Desktop Manager Linux 2022.3.2.0 and earlier