CVE-2022-24857 : django-mfa3 is a library that implements multi factor authentication for the dja

django-mfa3 is a library that implements multi factor authentication for the django web framework. It achieves this by modifying the regular login view. Django however has a second login view for its admin area. This second login view was not modified, so the multi factor authentication can be bypassed. Users are affected if they have activated both django-mfa3 (< 0.5.0) and django.contrib.admin and have not taken any other measures to prevent users from accessing the admin login view. The issue has been fixed in django-mfa3 0.5.0. It is possible to work around the issue by overwriting the admin login route, e.g. by adding the following URL definition *before* the admin routes: url('admin/login/', lambda request: redirect(settings.LOGIN_URL)

Published 2022-04-15 19:15:12

Updated 2023-02-03 17:38:15

Source GitHub, Inc.

View at NVD, CVE.org

Vulnerability category: BypassGain privilege

Products affected by CVE-2022-24857

Django-mfa3 Project » Django-mfa3
Versions before (<) 0.5.0
cpe:2.3:a:django-mfa3_project:django-mfa3:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2022-24857

EPSS FAQ

0.24%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 47 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-24857

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.5	MEDIUM	AV:N/AC:L/Au:S/C:P/I:P/A:P	8.0	6.4	NIST
Access Vector: Network Access Complexity: Low Authentication: Single Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
8.8	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	2.8	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
7.3	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N	2.1	5.2	GitHub, Inc.
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: High Availability: None

CWE ids for CVE-2022-24857

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Assigned by:
- nvd@nist.gov (Secondary)
- security-advisories@github.com (Primary)

References for CVE-2022-24857

https://github.com/xi/django-mfa3/security/advisories/GHSA-3r7g-wrpr-j5g4

Multi factor authentication bypass via admin login · Advisory · xi/django-mfa3 · GitHub
Third Party Advisory
https://github.com/xi/django-mfa3/blob/main/CHANGES.md#050-2022-04-15

django-mfa3/CHANGES.md at main · xi/django-mfa3 · GitHub
Release Notes;Third Party Advisory
https://github.com/xi/django-mfa3/commit/32f656e22df120b84bdf010e014bb19bd97971de

fix bypass via admin login · xi/django-mfa3@32f656e · GitHub
Patch;Third Party Advisory
https://security.netapp.com/advisory/ntap-20220609-0003/

CVE-2022-24857 Django Vulnerability in NetApp Products | NetApp Product Security
Third Party Advisory

Jump to

Vulnerability Details : CVE-2022-24857

Products affected by CVE-2022-24857

Exploit prediction scoring system (EPSS) score for CVE-2022-24857

CVSS scores for CVE-2022-24857

CWE ids for CVE-2022-24857

References for CVE-2022-24857