LinOTP replay vulnerability with auto resynchronization enabled for TOTP token
Critical severity
GitHub Reviewed
Published
May 24, 2022
to the GitHub Advisory Database
•
Updated Sep 30, 2024
Description
Published by the National Vulnerability Database
Jun 27, 2019
Published to the GitHub Advisory Database
May 24, 2022
Reviewed
Apr 29, 2024
Last updated
Sep 30, 2024
LinOTP is prone to a replay attack with activated automatic resynchronization. This vulnerability may allow an attacker to successfully log in with OTP values recorded at a previous point in time.
This attack is only possible if automatic resynchronization is enabled for the TOTP token type. The automatic resynchronization is deactivated by default. All other tokens are unaffected.
References