U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Vulnerability Change Records for CVE-2024-41958

Change History

New CVE Received from GitHub, Inc. 8/05/2024 4:15:36 PM

Action Type Old Value New Value
Added Description

								
							
							
						
mailcow: dockerized is an open source groupware/email suite based on docker. A vulnerability has been discovered in the two-factor authentication (2FA) mechanism. This flaw allows an authenticated attacker to bypass the 2FA protection, enabling unauthorized access to other accounts that are otherwise secured with 2FA. To exploit this vulnerability, the attacker must first have access to an account within the system and possess the credentials of the target account that has 2FA enabled. By leveraging these credentials, the attacker can circumvent the 2FA process and gain access to the protected account. This issue has been addressed in the `2024-07` release. All users are advised to upgrade. There are no known workarounds for this vulnerability.
Added CVSS V3.1

								
							
							
						
GitHub, Inc. AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N
Added CWE

								
							
							
						
GitHub, Inc. CWE-697
Added Reference

								
							
							
						
GitHub, Inc. https://github.com/mailcow/mailcow-dockerized/commit/f33d82ffc11ed3438609d4e7a6baa78cb3305bc3 [No types assigned]
Added Reference

								
							
							
						
GitHub, Inc. https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-4fcc-q245-qqgg [No types assigned]