Impact
This vulnerability is due to a third-party library exposing the random number seed to the API, potentially allowing the randomly generated verification codes to be replayed, which could lead to password resets.
The affected versions: v2.24 - v3.6.4.
If MFA is enabled not affect.
If not using local auth not affect (admin may be local if not disabled).
To prevent the vulnerability from being exploited, the more details are withheld for now.
Patches
Upgrade to safe versions:
v2 version: >= v2.28.19
v3 version: >= v3.6.5
References
Thanks for lawliet & zhiniang peng(@edwardzpeng) with Sangfor report this bug
KiruaLawliet Finder
edwardzpeng Finder
Impact
This vulnerability is due to a third-party library exposing the random number seed to the API, potentially allowing the randomly generated verification codes to be replayed, which could lead to password resets.
The affected versions: v2.24 - v3.6.4.
If MFA is enabled not affect.
If not using local auth not affect (admin may be local if not disabled).
To prevent the vulnerability from being exploited, the more details are withheld for now.
Patches
Upgrade to safe versions:
v2 version: >= v2.28.19
v3 version: >= v3.6.5
References
Thanks for lawliet & zhiniang peng(@edwardzpeng) with Sangfor report this bug