privacyIDEA Improper Input Validation vulnerability · CVE-2018-1000809 · GitHub Advisory Database · GitHub

privacyIDEA Improper Input Validation vulnerability

High severity GitHub Reviewed Published Jan 14, 2019 to the GitHub Advisory Database • Updated Oct 18, 2024

Package

privacyIDEA (pip)

Affected versions

< 2.23.2

Patched versions

2.23.2

Description

privacyIDEA version 2.23.1 and earlier contains a Improper Input Validation vulnerability in token validation api that can result in Denial-of-Service. This attack appear to be exploitable via http request with user=&pass= to /validate/check url. This vulnerability appears to have been fixed in 2.23.2.

References

Published to the GitHub Advisory Database Jan 14, 2019

Reviewed Jun 16, 2020

Last updated Oct 18, 2024

Severity

High

/ 10

CVSS v4 base metrics

Exploitability Metrics

Attack Vector Network

Attack Complexity Low

Attack Requirements None

Privileges Required None

User interaction None

Vulnerable System Impact Metrics

Confidentiality None

Integrity None

Availability High

Subsequent System Impact Metrics

Confidentiality None

Integrity None

Availability None

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N