7.5

CVSS Score

3.0

Basic Information

CVE ID

CVE-2019-1020002

GHSA ID

GHSA-fg52-xjfc-9rh8

EPSS Score

0.54157%

CWE

CWE-203

Published

5/24/2022

Updated

2/1/2023

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2019-1020002

CVE-2019-1020002: Pterodactyl vulnerable to 2FA Sniffing

Pterodactyl version 0.7.13 and lower - 2FA Sniffing

Users who have enabled 2FA protections on their account can unintentionally have their account's existence sniffed by malicious users who enter random credentials into the login fields.

Impact

Users who have enabled 2FA protections on their account can unintentionally have their account's existence sniffed by malicious users who enter random credentials into the login fields.

A logical mistake was made when the original code was written that would wait to verify the user's password until they had provided 2FA credentials if it was enabled on their account. However, because of this you could enter a bad password for a known email and determine if the account exists if you got redirected to a 2FA page.

For more information

If you have any questions or comments about this advisory please react out on Discord or email dane@[project name].io.

(GitHub Advisory)

7.5

CVSS Score

3.0

Basic Information

CVE ID

CVE-2019-1020002

GHSA ID

GHSA-fg52-xjfc-9rh8

EPSS Score

0.54157%

CWE

CWE-203

Published

5/24/2022

Updated

2/1/2023

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
pterodactyl/panel	composer	<= 0.7.13	0.7.14

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from a logical flaw in the authentication flow (checking 2FA status before validating credentials), but the provided code diffs and files focus on 2FA secret generation and QR code handling rather than the authentication sequence itself. The actual vulnerable login controller logic that caused the observable discrepancy isn't shown in the provided patches. The modified TwoFactorSetupService and SecurityController functions relate to 2FA setup mechanics, not the flawed authentication order that allowed account enumeration. Without seeing the pre-patch login handler code that performed 2FA checks before password validation, we cannot confidently identify specific vulnerable functions from the provided data.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**Pt*ro***tyl v*rsion *.*.** *n* low*r - *** Sni**in*** Us*rs w*o **v* *n**l** *** prot**tions on t**ir ***ount **n unint*ntion*lly **v* t**ir ***ount's *xist*n** sni**** *y m*li*ious us*rs w*o *nt*r r*n*om *r***nti*ls into t** lo*in *i*l*s. ### Im

Reasoning

T** vuln*r**ility st*ms *rom * lo*i**l *l*w in t** *ut**nti**tion *low (****kin* *** st*tus ***or* v*li**tin* *r***nti*ls), *ut t** provi*** *o** *i**s *n* *il*s *o*us on *** s**r*t **n*r*tion *n* QR *o** **n*lin* r*t**r t**n t** *ut**nti**tion s*qu*

7.5

Basic Information

Concerned about an active attack path?

CVE-2019-1020002: Pterodactyl vulnerable to 2FA Sniffing

Impact

For more information

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI