SB2019111510 - Multiple vulnerabilities in Pimcore

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Improper access control (CVE-ID: CVE-2019-18981)

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists in the "models/Notification/Service/NotificationService.php" file due to improper access restrictions. A remote authenticated attacker can bypass implemented security restrictions and gain unauthorized access to sensitive information on the target system.

2) Improper control of interaction frequency (CVE-ID: CVE-2019-18985)

The vulnerability allows a remote attacker to perform a brute-force attack.

The vulnerability exists due to the affected software lacks brute force protection for the 2FA token. A remote attacker can brute-force passwords on the target system.

3) Improper control of interaction frequency (CVE-ID: CVE-2019-18986)

The vulnerability allows a remote attacker to perform a brute-force attack on the target system.

The vulnerability exists due to the application does not implement sufficient measures to prevent multiple failed authentication attempts. A remote attacker can brute-force (guess) valid usernames by using the "forgot password" functionality as it returns distinct messages for invalid password and non-existing users.

Remediation

Install update from vendor's website.

References

• https://github.com/pimcore/pimcore/commit/0a5d80b2593b2ebe35d19756b730ba33aa049106
• https://github.com/pimcore/pimcore/compare/v6.2.1...v6.2.2
• https://github.com/pimcore/pimcore/commit/9f2d075243a8392c114d9a8028858b9faf041e2d
• https://github.com/pimcore/pimcore/commit/4a7bba5c3f818852cbbd29fa124f7fb09a207185