Announcement-ID: PMASA-2022-1
Date: 2022-01-10
Two factor authentication bypass
There is a sequence of actions a valid user can take that will allow them to bypass two factor authentication for that account. A user must first connect to phpMyAdmin (presumably using their two factor authentication method) in order to prepare their account for the bypass.
Note that a user is still able to disable two factor authentication through conventional means; this only addresses an unintentional security weakness in how phpMyAdmin processes a user's two factor status.
We do not consider this vulnerability to be severe due to the steps required to prepare for the attack and access required. Further, as noted above, a user is permitted to disable two factor authentication through conventional means.
phpMyAdmin versions of the 4.9 branch prior to 4.9.8 and 5.1 prior to 5.1.2 are affected.
Upgrade to phpMyAdmin 4.9.8, 5.1.2, or newer or apply patch listed below.
phpMyAdmin team member William Desportes discovered this weakness
Assigned CVE ids: CVE-2022-23807
CWE ids: CWE-661
The following commits have been made to fix this issue:
For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.