一、 漏洞 CVE-2024-52598 基础信息
漏洞标题
2FAuth存在服务器端请求伪造漏洞及URI验证绕过漏洞
来源:AIGC 神龙大模型
漏洞描述信息
N/A
来源:AIGC 神龙大模型
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
来源:AIGC 神龙大模型
漏洞类别
服务端请求伪造(SSRF)
来源:AIGC 神龙大模型
漏洞标题
2FAuth vulnerable to Server Side Request Forgery + URI validation bypass in 2fauth /api/v1/twofaccounts/preview
来源:美国国家漏洞数据库 NVD
漏洞描述信息
2FAuth is a web app to manage Two-Factor Authentication (2FA) accounts and generate their security codes. Two interconnected vulnerabilities exist in version 5.4.1 a SSRF and URI validation bypass issue. The endpoint at POST /api/v1/twofaccounts/preview allows setting a remote URI to retrieve the image of a 2fa site. By abusing this functionality, it is possible to force the application to make a GET request to an arbitrary URL, whose content will be stored in an image file in the server if it looks like an image. Additionally, the library does some basic validation on the URI, attempting to filter our URIs which do not have an image extension. However, this can be easily bypassed by appending the string `#.svg` to the URI. The combination of these two issues allows an attacker to retrieve URIs accessible from the application, as long as their content type is text based. If not, the request is still sent, but the response is not reflected to the attacker. Version 5.4.1 fixes the issues.
来源:美国国家漏洞数据库 NVD
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
来源:美国国家漏洞数据库 NVD
漏洞类别
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
来源:美国国家漏洞数据库 NVD
漏洞标题
2FAuth 安全漏洞
来源:中国国家信息安全漏洞库 CNNVD
漏洞描述信息
2FAuth是Bubka个人开发者的一个用于管理双因素身份验证 (2FA) 帐户并生成其安全代码的 Web 应用程序。 2FAuth v5.4.1之前版本存在安全漏洞,该漏洞源于存在验证绕过问题,允许攻击者轻松绕过此验证。
来源:中国国家信息安全漏洞库 CNNVD
CVSS信息
N/A
来源:中国国家信息安全漏洞库 CNNVD
漏洞类别
其他
来源:中国国家信息安全漏洞库 CNNVD
二、漏洞 CVE-2024-52598 的公开POC
| # | POC 描述 | 源链接 | 神龙链接 |
|---|
三、漏洞 CVE-2024-52598 的情报信息
-
标题: SSRF + URI validation bypass in 2fauth /api/v1/twofaccounts/preview · Advisory · Bubka/2FAuth · GitHub -- 🔗来源链接
标签: x_refsource_CONFIRM
神龙速读
- https://nvd.nist.gov/vuln/detail/CVE-2024-52598