CVE-2024-48942
Oct. 11, 2024, 9:36 p.m.
5.9
Medium
Description
The Syracom Secure Login (2FA) plugin for Jira, Confluence, and Bitbucket through 3.1.4.5 allows remote attackers to easily brute-force the 2FA PIN via the plugins/servlet/twofactor/public/pinvalidation endpoint. The last 30 and the next 30 tokens are valid.
Product(s) Impacted
| Vendor | Product | Versions |
|---|---|---|
| Syracom |
|
|
Weaknesses
Common security weaknesses mapped to this vulnerability.
CWE-799
Improper Control of Interaction Frequency
The product does not properly limit the number or frequency of interactions that it has with an actor, such as the number of incoming requests.
*CPE(s)
Affected systems and software identified for this CVE.
| Type | Vendor | Product | Version | Update | Edition | Language | Software Edition | Target Software | Target Hardware | Other Information |
|---|---|---|---|---|---|---|---|---|---|---|
| a | syracom | secure_login | / | / | / | / | / | bitbucket | / | / |
| a | syracom | secure_login | / | / | / | / | / | confluence | / | / |
| a | syracom | secure_login | / | / | / | / | / | jira | / | / |
Tags
CVSS Score
CVSS Data - 3.1
- Attack Vector: NETWORK
- Attack Complexity: HIGH
- Privileges Required: NONE
- Scope: UNCHANGED
- Confidentiality Impact: HIGH
- Integrity Impact: NONE
- Availability Impact: NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Timeline
Published: Oct. 10, 2024, 12:15 a.m.
Last Modified: Oct. 11, 2024, 9:36 p.m.
Last Modified: Oct. 11, 2024, 9:36 p.m.
Status : Modified
CVE has been recently published to the CVE List and has been received by the NVD.
More infoSource
cve@mitre.org
*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.