CVE-2024-30173: OpenID Connect Authentication (oidc) Typo3 extension Authentication Bypass

April 2, 2024

The authentication service of the extension does not verify the OpenID Connect authentication state from the user lookup chain. Instead, the authentication service authenticates every valid frontend user from the user lookup chain, where the frontend user field “tx_oidc” is not empty.

In scenarios, where either ext:felogin is active or where $GLOBALS['TYPO3_CONF_VARS'][‘FE’][‘checkFeUserPid’] is disabled, an attacker can login to OpenID Connect frontend user accounts by providing a valid username and any password.

References

github.com/FriendsOfPHP/security-advisories/blob/master/causal/oidc/CVE-2024-30173.yaml
github.com/advisories/GHSA-hhf8-f5w9-g6vh
github.com/xperseguers/t3ext-oidc
nvd.nist.gov/vuln/detail/CVE-2024-30173
typo3.org/security/advisory/typo3-ext-sa-2024-002

Detect and mitigate CVE-2024-30173 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →