GET

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

GET /api/vulnerabilities/50722?format=api
HTTP 200 OK
Allow: GET, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50722?format=api",
    "vulnerability_id": "VCID-tf8y-9k9g-jbct",
    "summary": "EC-CUBE has a Vulnerability that Allows MFA Bypass in the Administrative Interface\n# Vulnerability Allowing MFA Bypass\n\n## Affected EC-CUBE Versions\nVersions: 4.1.0 – 4.3.1\n\n## Vulnerability Overview\nIf an administrator’s ID and password are compromised, an issue exists that allows an attacker to bypass the normally required two-factor authentication (2FA) and log in to the administrative interface.\n\n## Severity and Impact\n\n**CVSS v3.1 score**  \nBase score: 6.2 / Temporal score: 5.7 / Environmental score (after mitigation and countermeasures): 0.0\n\nAn attacker can forcibly overwrite the 2FA configuration of an account with administrative privileges. As a result, the legitimate administrator can be locked out, while the attacker can log in to the administrative interface and perform unauthorized actions such as viewing sensitive information or tampering with the website.\n\n## Root Cause Details\n\nThere are flaws in the access control implementation for the 2FA settings page (`/admin/two_factor_auth/set`).\n\n1. **TwoFactorAuthListener.php**  \n   The route for the 2FA settings page (`admin_two_factor_auth_set`) is included in the list of routes excluded from the 2FA authentication check.\n\n2. **TwoFactorAuthController.php**  \n   Even for users who already have 2FA configured, the implementation allows reconfiguration (overwriting) of the 2FA secret key without passing 2FA authentication.\n\n## Attack Preconditions and Steps\n\n**Preconditions:**\n- The attacker knows the administrative user’s ID and password.\n- 2FA is enabled for that user.\n\n**Attack Steps:**\n1. Attempt to log in using the ID and password.\n2. When the 2FA code entry screen is displayed, do not enter a code; instead, directly modify the URL to access `/admin/two_factor_auth/set`.\n3. Because access is not denied, the attacker can generate and save (overwrite) a new 2FA secret key.\n\n\n# MFAバイパスが可能な脆弱性\n\n## EC-CUBEバージョン\nバージョン:  4.1.0 ~ 4.3.1",
    "aliases": [
        {
            "alias": "GHSA-7rhv-h82h-vpjh"
        }
    ],
    "fixed_packages": [],
    "affected_packages": [
        {
            "url": "http://public2.vulnerablecode.io/api/packages/64198?format=api",
            "purl": "pkg:composer/ec-cube/ec-cube@4.1.0",
            "is_vulnerable": true,
            "affected_by_vulnerabilities": [
                {
                    "vulnerability": "VCID-f13c-wzhp-cqap"
                },
                {
                    "vulnerability": "VCID-fuus-wqhf-s3be"
                },
                {
                    "vulnerability": "VCID-he32-4cf1-akf5"
                },
                {
                    "vulnerability": "VCID-kgjm-uhbj-gffx"
                },
                {
                    "vulnerability": "VCID-tf8y-9k9g-jbct"
                }
            ],
            "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ec-cube/ec-cube@4.1.0"
        },
        {
            "url": "http://public2.vulnerablecode.io/api/packages/74506?format=api",
            "purl": "pkg:composer/ec-cube/ec-cube@4.3.1",
            "is_vulnerable": true,
            "affected_by_vulnerabilities": [
                {
                    "vulnerability": "VCID-tf8y-9k9g-jbct"
                }
            ],
            "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/ec-cube/ec-cube@4.3.1"
        }
    ],
    "references": [
        {
            "reference_url": "https://github.com/EC-CUBE/ec-cube",
            "reference_id": "",
            "reference_type": "",
            "scores": [],
            "url": "https://github.com/EC-CUBE/ec-cube"
        },
        {
            "reference_url": "https://github.com/EC-CUBE/ec-cube/commit/094785943bfc3815c29f0cce9dbabb9bcc688474",
            "reference_id": "",
            "reference_type": "",
            "scores": [],
            "url": "https://github.com/EC-CUBE/ec-cube/commit/094785943bfc3815c29f0cce9dbabb9bcc688474"
        },
        {
            "reference_url": "https://github.com/advisories/GHSA-7rhv-h82h-vpjh",
            "reference_id": "GHSA-7rhv-h82h-vpjh",
            "reference_type": "",
            "scores": [],
            "url": "https://github.com/advisories/GHSA-7rhv-h82h-vpjh"
        },
        {
            "reference_url": "https://github.com/EC-CUBE/ec-cube/security/advisories/GHSA-7rhv-h82h-vpjh",
            "reference_id": "GHSA-7rhv-h82h-vpjh",
            "reference_type": "",
            "scores": [],
            "url": "https://github.com/EC-CUBE/ec-cube/security/advisories/GHSA-7rhv-h82h-vpjh"
        }
    ],
    "weaknesses": [
        {
            "cwe_id": 287,
            "name": "Improper Authentication",
            "description": "When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct."
        },
        {
            "cwe_id": 937,
            "name": "OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities",
            "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013."
        },
        {
            "cwe_id": 1035,
            "name": "OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities",
            "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017."
        }
    ],
    "exploits": [],
    "severity_range_score": null,
    "exploitability": null,
    "weighted_severity": null,
    "risk_score": null,
    "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-tf8y-9k9g-jbct"
}