edumfa@2.2.0

eduMFA: identity, multifactor authentication (OTP), authorization, audit

  • latest version

    2.9.3

  • latest non vulnerable version

  • first published

    2 years ago

  • latest version published

    26 days ago

  • licenses detected

  • Direct Vulnerabilities

    Known vulnerabilities in the edumfa package. This does not include vulnerabilities belonging to this package’s dependencies.

    Fix vulnerabilities automatically

    Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

    Fix for free
    VulnerabilityVulnerable Version
    • H
    Insufficient Session Expiration

    edumfa is an eduMFA: identity, multifactor authentication (OTP), authorization, audit

    Affected versions of this package are vulnerable to Insufficient Session Expiration due to missing expiration information in the userless Passkey/WebAuthn challenge process. An attacker can authenticate as another user by replaying previously issued challenges.

    How to fix Insufficient Session Expiration?

    Upgrade edumfa to version 2.9.1 or higher.

    [,2.9.1)
    • H
    Improper Input Validation

    edumfa is an eduMFA: identity, multifactor authentication (OTP), authorization, audit

    Affected versions of this package are vulnerable to Improper Input Validation via the /validate/check endpoint when the resolver parameter is provided for a non-existent user. An attacker can cause all failcounters of tokens associated with the specified resolver to increment by repeatedly sending requests with arbitrary resolver values.

    How to fix Improper Input Validation?

    Upgrade edumfa to version 2.9.1 or higher.

    [,2.9.1)
    • H
    Improper Authorization

    edumfa is an eduMFA: identity, multifactor authentication (OTP), authorization, audit

    Affected versions of this package are vulnerable to Improper Authorization in the token process. An attacker can gain unauthorized access or reuse authentication tokens by exploiting a race condition in database transaction isolation. This is only exploitable if the deployment uses MySQL (any version) or MariaDB with innodb_snapshot_isolation=OFF, and the attacker is able to race the transaction.

    How to fix Improper Authorization?

    Upgrade edumfa to version 2.9.1 or higher.

    [,2.9.1)