CVE-2024-45042

{"id": "CVE-2024-45042", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 0.7}]}, "published": "2024-09-26T18:15:07.463", "references": [{"url": "https://github.com/ory/kratos/security/advisories/GHSA-wc43-73w7-x2f5", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-287"}]}], "descriptions": [{"lang": "en", "value": "Ory Kratos is an identity, user management and authentication system for cloud services. Prior to version 1.3.0, given a number of preconditions, the `highest_available` setting will incorrectly assume that the identity\u2019s highest available AAL is `aal1` even though it really is `aal2`. This means that the `highest_available` configuration will act as if the user has only one factor set up, for that particular user. This means that they can call the settings and whoami endpoint without a `aal2` session, even though that should be disallowed. An attacker would need to steal or guess a valid login OTP of a user who has only OTP for login enabled and who has an incorrect `available_aal` value stored, to exploit this vulnerability. All other aspects of the session (e.g. the session\u2019s aal) are not impacted by this issue. On the Ory Network, only 0.00066% of registered users were affected by this issue, and most of those users appeared to be test users. Their respective AAL values have since been updated and they are no longer vulnerable to this attack. Version 1.3.0 is not affected by this issue. As a workaround, those who require MFA should disable the passwordless code login method. If that is not possible, check the sessions `aal` to identify if the user has `aal1` or `aal2`."}, {"lang": "es", "value": "Ory Kratos es un sistema de autenticaci\u00f3n, gesti\u00f3n de usuarios e identidad para servicios en la nube. Antes de la versi\u00f3n 1.3.0, dadas una serie de condiciones previas, la configuraci\u00f3n `highest_available` supon\u00eda incorrectamente que el AAL m\u00e1s alto disponible de la identidad era `aal1`, aunque en realidad era `aal2`. Esto significa que la configuraci\u00f3n `highest_available` actuar\u00eda como si el usuario tuviera solo un factor configurado para ese usuario en particular. Esto significa que pueden llamar a la configuraci\u00f3n y al endpoint whoami sin una sesi\u00f3n `aal2`, aunque eso deber\u00eda estar prohibido. Un atacante necesitar\u00eda robar o adivinar un OTP de inicio de sesi\u00f3n v\u00e1lido de un usuario que solo tiene habilitado el OTP para el inicio de sesi\u00f3n y que tiene un valor `available_aal` incorrecto almacenado, para explotar esta vulnerabilidad. Todos los dem\u00e1s aspectos de la sesi\u00f3n (por ejemplo, el aal de la sesi\u00f3n) no se ven afectados por este problema. En la red Ory, solo el 0,00066 % de los usuarios registrados se vieron afectados por este problema, y la mayor\u00eda de esos usuarios parec\u00edan ser usuarios de prueba. Desde entonces, se han actualizado sus respectivos valores AAL y ya no son vulnerables a este ataque. La versi\u00f3n 1.3.0 no se ve afectada por este problema. Como workaround, quienes requieran MFA deben deshabilitar el m\u00e9todo de inicio de sesi\u00f3n con c\u00f3digo sin contrase\u00f1a. Si eso no es posible, verifique las sesiones `aal` para identificar si el usuario tiene `aal1` o `aal2`."}], "lastModified": "2024-09-30T12:46:20.237", "sourceIdentifier": "security-advisories@github.com"}