CVE-2019-12887: LinOTP replay vulnerability with auto resynchronization enabled for TOTP token
(updated )
LinOTP is prone to a replay attack with activated automatic resynchronization. This vulnerability may allow an attacker to successfully log in with OTP values recorded at a previous point in time.
This attack is only possible if automatic resynchronization is enabled for the TOTP token type. The automatic resynchronization is deactivated by default. All other tokens are unaffected.
References
- github.com/LinOTP/LinOTP
- github.com/LinOTP/LinOTP/commit/6d28d93af59d2ce0d844a6a3282148064efc6ad8
- github.com/advisories/GHSA-rqg8-xjp2-pg9w
- github.com/pypa/advisory-database/tree/main/vulns/linotp/PYSEC-2019-103.yaml
- linotp.org/linotp-hotfix-autoresync.html
- nvd.nist.gov/vuln/detail/CVE-2019-12887
- www.linotp.org/CVE-2019-12887.txt
Detect and mitigate CVE-2019-12887 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →