CVE-2022-36105

 

Published at: - 13-09-2022 08:15

Last modified: - 13-09-2022 10:43

Total changes: - 1

Description

TYPO3 is an open source PHP based web content management system released under the GNU GPL. It has been discovered that observing response time during user authentication (backend and frontend) can be used to distinguish between existing and non-existing user accounts. Extension authors of 3rd party TYPO3 extensions providing a custom authentication service should check if the extension is affected by the described problem. Affected extensions must implement new `MimicServiceInterface::mimicAuthUser`, which simulates corresponding times regular processing would usually take. Update to TYPO3 version 7.6.58 ELTS, 8.7.48 ELTS, 9.5.37 ELTS, 10.4.32 or 11.5.16 that fix this problem. There are no known workarounds for this issue.

Common Vulnerability Scoring System (CVSS)

-

 

Verification logic

 

Reference

• https://github.com/TYPO3/typo3/security/advisories/GHSA-m392-235j-9r7r
• https://typo3.org/security/advisory/typo3-core-sa-2022-007
• https://github.com/TYPO3/typo3/commit/f8b83ce15d4ea275a5a5e564e5d324242f7937b6

 

Keywords

NVD

 

CVE-2022-36105

 

CVE

 

Common vulnerabilities & exposures

 

CVSS

 

Common vulnerability scoring system

 

Security

 

Vulnerabilities

 

Exposures