CVE-2022-42731

HIGH

django-mfa2 <2.5.1, <2.6.1 - Info Disclosure

Title source: llm

Description

mfa/FIDO2.py in django-mfa2 before 2.5.1 and 2.6.x before 2.6.1 allows a replay attack that could be used to register another device for a user. The device registration challenge is not invalidated after usage.

References (3)

[Exploit, Third Party Advisory] https://github.com/mkalioby/django-mfa2/blob/0936ea253354dd95cb127f09d0efa31324caef27/mfa/FIDO2.py#L58

View Exploit ZIP pw:eip

[Release Notes, Third Party Advisory] https://github.com/mkalioby/django-mfa2/releases/tag/v2.5.1-release

[Release Notes, Third Party Advisory] https://github.com/mkalioby/django-mfa2/releases/tag/v2.6.1-release

Scores

CVSS v3 7.5

EPSS 0.0043

EPSS Percentile 62.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-294

Status published

Products (2)

django-mfa2_project/django-mfa2 < 2.5.1

pypi/django-mfa2 0 - 2.5.1PyPI

Published Oct 11, 2022

Tracked Since Feb 18, 2026