CVE-2023-49706
Last modified
CVE-2023-49706 is a medium-severity vulnerability rated 6.8/10 on the CVSS scale. Defective request context handling in Self Service in LinOTP 3.x before 3.2.5 allows remote unauthenticated attackers to escalate privileges, thereby allowing them to act as and with the permissions of another user. Attackers must generate repeated API requests to trigger a race condition with concurrent user activity in the self-service portal.. EPSS estimates a 0.62% chance of exploitation in the next 30 days.
Description
Defective request context handling in Self Service in LinOTP 3.x before 3.2.5 allows remote unauthenticated attackers to escalate privileges, thereby allowing them to act as and with the permissions of another user. Attackers must generate repeated API requests to trigger a race condition with concurrent user activity in the self-service portal.
Metrics
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Linotp | Linotp | >= 3.0.0, <= 3.2.4 |
| Linotp | Virtual Appliance | >= 3.0.0, <= 3.2.4 |
References
- https://linotp.org/CVE-2023-49706.txtVendor Advisory
- https://linotp.org/security-update-linotp3-selfservice.htmlVendor Advisory
- https://www.linotp.org/news.htmlVendor Advisory
- https://linotp.org/CVE-2023-49706.txtVendor Advisory
- https://linotp.org/security-update-linotp3-selfservice.htmlVendor Advisory
- https://www.linotp.org/news.htmlVendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2023-49706?
How severe is CVE-2023-49706?
How do I fix CVE-2023-49706?
Are you affected by CVE-2023-49706?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST