CVE-2024-48942

Published: Oct 10, 2024Modified: Oct 11, 2024

5.9

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 2.2 / Impact: 3.6

Source: NVD

Description

The Syracom Secure Login (2FA) plugin for Jira, Confluence, and Bitbucket through 3.1.4.5 allows remote attackers to easily brute-force the 2FA PIN via the plugins/servlet/twofactor/public/pinvalidation endpoint. The last 30 and the next 30 tokens are valid.

Affected (3)

Products: Syracom: Secure Login

1 product

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Syracom Secure Login	Up to 3.1.4.5
Syracom Secure Login	Up to 3.1.4.5
Syracom Secure Login	Up to 3.1.4.5

Related CWEs

Improper Control of Interaction Frequency

The product does not properly limit the number or frequency of interactions that it has with an actor, such as the number of incoming requests.

References (1)

https://syracom-bee.atlassian.net/wiki/spaces/SL/pages/3236560898/2024-09-16+-+Secure+Login+security+advisory+-+Insecure+default+configuration

Source: cve@mitre.org

Vendor Advisory

Timeline

No history available yet.