Miggo Logo

CVE-2022-36105: TYPO3 CMS vulnerable to User Enumeration via Response Timing

5.3

CVSS Score
3.1

Basic Information

EPSS Score
0.61959%
Published
9/16/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
typo3/cms-corecomposer>= 7.0.0, < 7.6.587.6.58
typo3/cms-corecomposer>= 8.0.0, < 8.7.488.7.48
typo3/cms-corecomposer>= 9.0.0, < 9.5.379.5.37
typo3/cms-corecomposer>= 10.0.0, < 10.4.3210.4.32
typo3/cms-corecomposer>= 11.0.0, < 11.5.1611.5.16
typo3/cmscomposer>= 10.0.0, < 10.4.3210.4.32
typo3/cmscomposer>= 11.0.0, < 11.5.1611.5.16

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from timing discrepancies during authentication. The checkAuthentication method controlled the authentication flow but lacked code to simulate delays for invalid users, making response times leak user existence. The authUser method's password validation for valid users created a baseline timing difference. The fix introduced mimicAuthUser in AuthenticationService and triggered it in checkAuthentication to eliminate this discrepancy. Third-party authentication services without mimicAuthUser implementations would also be vulnerable, but the core issue resides in the unpatched checkAuthentication flow and authUser's lack of mitigation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

> ### M*t* > * *VSS: `*VSS:*.*/*V:N/**:L/PR:N/UI:N/S:U/*:L/I:N/*:N/*:*/RL:O/R*:*` (*.*) ### Pro*l*m It **s ***n *is*ov*r** t**t o*s*rvin* r*spons* tim* *urin* us*r *ut**nti**tion (***k*n* *n* *ront*n*) **n ** us** to *istin*uis* **tw**n *xistin* *n*

Reasoning

T** vuln*r**ility st*ms *rom timin* *is*r*p*n*i*s *urin* *ut**nti**tion. T** ****k*ut**nti**tion m*t*o* *ontroll** t** *ut**nti**tion *low *ut l**k** *o** to simul*t* **l*ys *or inv*li* us*rs, m*kin* r*spons* tim*s l**k us*r *xist*n**. T** *ut*Us*r m