PMASA-2022-1
Announcement-ID: PMASA-2022-1
Date: 2022-01-10
Summary
Two factor authentication bypass
Description
There is a sequence of actions a valid user can take that will allow them to bypass two factor authentication for that account. A user must first connect to phpMyAdmin (presumably using their two factor authentication method) in order to prepare their account for the bypass.
Note that a user is still able to disable two factor authentication through conventional means; this only addresses an unintentional security weakness in how phpMyAdmin processes a user's two factor status.
Severity
We do not consider this vulnerability to be severe due to the steps required to prepare for the attack and access required. Further, as noted above, a user is permitted to disable two factor authentication through conventional means.
Affected Versions
phpMyAdmin versions of the 4.9 branch prior to 4.9.8 and 5.1 prior to 5.1.2 are affected.
Solution
Upgrade to phpMyAdmin 4.9.8, 5.1.2, or newer or apply patch listed below.
References
phpMyAdmin team member William Desportes discovered this weakness
Assigned CVE IDs: CVE-2022-23807
CWE IDs: CWE-661
Patches
The following commits have been made to fix this issue:
More information
For further information and in case of questions, please contact the phpMyAdmin security team at security@phpmyadmin.net.