CVE-2019-12887 – linotp

Package

Manager: pip
Name: linotp
Vulnerable Version: >=0 <2.11.1

Severity

Level: Critical

CVSS v3.1: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.0035 pctl0.56781

Details

LinOTP replay vulnerability with auto resynchronization enabled for TOTP token LinOTP is prone to a replay attack with activated automatic resynchronization. This vulnerability may allow an attacker to successfully log in with OTP values recorded at a previous point in time. This attack is only possible if automatic resynchronization is enabled for the TOTP token type. The automatic resynchronization is deactivated by default. All other tokens are unaffected.

Metadata

Created: 2022-05-24T16:48:44Z
Modified: 2024-09-30T16:45:35Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-rqg8-xjp2-pg9w/GHSA-rqg8-xjp2-pg9w.json
CWE IDs: ["CWE-294"]
Alternative ID: GHSA-rqg8-xjp2-pg9w
Finding: F115
Auto approve: 1