5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-36105

GHSA ID

GHSA-m392-235j-9r7r

EPSS Score

0.61959%

CWE

CWE-203

Published

9/16/2022

Updated

1/27/2023

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-36105

CVE-2022-36105: TYPO3 CMS vulnerable to User Enumeration via Response Timing

Meta

CVSS: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C (4.9)

Problem

It has been discovered that observing response time during user authentication (backend and frontend) can be used to distinguish between existing and non-existing user accounts.

Extension authors of 3rd party TYPO3 extensions providing a custom authentication service should check if the extension is affected by the described problem. Affected extensions must implement new MimicServiceInterface::mimicAuthUser, which simulates corresponding times regular processing would usually take.

Solution

Update to TYPO3 version 7.6.58 ELTS, 8.7.48 ELTS, 9.5.37 ELTS, 10.4.32 or 11.5.16 that fix the problem described above.

Credits

Thanks to Vautia who reported this issue and to TYPO3 core & security team members Oliver Hader who fixed the issue.

References

TYPO3-CORE-SA-2022-007
Vulnerability Report on huntr.dev (embargoed +30 days)

(GitHub Advisory)

5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-36105

GHSA ID

GHSA-m392-235j-9r7r

EPSS Score

0.61959%

CWE

CWE-203

Published

9/16/2022

Updated

1/27/2023

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
typo3/cms-core	composer	>= 7.0.0, < 7.6.58	7.6.58
typo3/cms-core	composer	>= 8.0.0, < 8.7.48	8.7.48
typo3/cms-core	composer	>= 9.0.0, < 9.5.37	9.5.37
typo3/cms-core	composer	>= 10.0.0, < 10.4.32	10.4.32
typo3/cms-core	composer	>= 11.0.0, < 11.5.16	11.5.16
typo3/cms	composer	>= 10.0.0, < 10.4.32	10.4.32
typo3/cms	composer	>= 11.0.0, < 11.5.16	11.5.16

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from timing discrepancies during authentication. The checkAuthentication method controlled the authentication flow but lacked code to simulate delays for invalid users, making response times leak user existence. The authUser method's password validation for valid users created a baseline timing difference. The fix introduced mimicAuthUser in AuthenticationService and triggered it in checkAuthentication to eliminate this discrepancy. Third-party authentication services without mimicAuthUser implementations would also be vulnerable, but the core issue resides in the unpatched checkAuthentication flow and authUser's lack of mitigation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

> ### M*t* > * *VSS: `*VSS:*.*/*V:N/**:L/PR:N/UI:N/S:U/*:L/I:N/*:N/*:*/RL:O/R*:*` (*.*) ### Pro*l*m It **s ***n *is*ov*r** t**t o*s*rvin* r*spons* tim* *urin* us*r *ut**nti**tion (***k*n* *n* *ront*n*) **n ** us** to *istin*uis* **tw**n *xistin* *n*

Reasoning

T** vuln*r**ility st*ms *rom timin* *is*r*p*n*i*s *urin* *ut**nti**tion. T** ****k*ut**nti**tion m*t*o* *ontroll** t** *ut**nti**tion *low *ut l**k** *o** to simul*t* **l*ys *or inv*li* us*rs, m*kin* r*spons* tim*s l**k us*r *xist*n**. T** *ut*Us*r m

5.3

Basic Information

Concerned about an active attack path?

CVE-2022-36105: TYPO3 CMS vulnerable to User Enumeration via Response Timing

Meta

Problem

Solution

Credits

References

5.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI