CVE-2024-47768

Lif Authentication Server is a server used by Lif to do various tasks regarding Lif accounts. This vulnerability has to do with the account recovery system where there does not appear to be a check to make sure the user has been sent the recovery email and entered the correct code. If the attacker knew the email of the target, they could supply the email and immediately prompt the server to update the password without ever needing the code. This issue has been patched in version 1.7.3.

CVSS v3 8.1 HIGH

8.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/Lif-Platforms/Lif-Auth-Server/commit/8dbd7cad914a8b939451c652bfb716aa796f754e	Patch
https://github.com/Lif-Platforms/Lif-Auth-Server/security/advisories/GHSA-hmv6-8fg8-7m6f	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:lifplatforms:lif_authentication_server:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2024-10-04 15:15

Updated : 2024-11-13 14:55

NVD link : CVE-2024-47768

Mitre link : CVE-2024-47768

CVE.ORG link : CVE-2024-47768

JSON object : View

Products Affected

lifplatforms

lif_authentication_server

CWE

CWE-287

Improper Authentication

CWE-862

Missing Authorization

{"id": "CVE-2024-47768", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.2}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"safety": "NOT_DEFINED", "version": "4.0", "recovery": "NOT_DEFINED", "baseScore": 6.9, "automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "modifiedAttackVector": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subsequentSystemIntegrity": "NONE", "vulnerableSystemIntegrity": "LOW", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "confidentialityRequirements": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "vulnerableSystemAvailability": "LOW", "subsequentSystemConfidentiality": "NONE", "vulnerableSystemConfidentiality": "LOW", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED"}}]}, "published": "2024-10-04T15:15:13.323", "references": [{"url": "https://github.com/Lif-Platforms/Lif-Auth-Server/commit/8dbd7cad914a8b939451c652bfb716aa796f754e", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/Lif-Platforms/Lif-Auth-Server/security/advisories/GHSA-hmv6-8fg8-7m6f", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-287"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "Lif Authentication Server is a server used by Lif to do various tasks regarding Lif accounts. This vulnerability has to do with the account recovery system where there does not appear to be a check to make sure the user has been sent the recovery email and entered the correct code. If the attacker knew the email of the target, they could supply the email and immediately prompt the server to update the password without ever needing the code. This issue has been patched in version 1.7.3."}, {"lang": "es", "value": "Lif Authentication Server es un servidor que Lif utiliza para realizar diversas tareas relacionadas con las cuentas de Lif. Esta vulnerabilidad tiene que ver con el sistema de recuperaci\u00f3n de cuentas, en el que no parece haber una comprobaci\u00f3n para asegurarse de que se haya enviado al usuario el correo electr\u00f3nico de recuperaci\u00f3n y de que se haya introducido el c\u00f3digo correcto. Si el atacante conociera el correo electr\u00f3nico del objetivo, podr\u00eda proporcionarlo y solicitar inmediatamente al servidor que actualice la contrase\u00f1a sin necesidad de utilizar el c\u00f3digo. Este problema se ha corregido en la versi\u00f3n 1.7.3."}], "lastModified": "2024-11-13T14:55:39.690", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:lifplatforms:lif_authentication_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "502B4877-E466-4740-8B92-97A52AF72651", "versionEndExcluding": "1.7.3"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}