CVE-2025-23017

{"id": "CVE-2025-23017", "cveTags": [{"tags": ["exclusively-hosted-service"], "sourceIdentifier": "[email protected]"}], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.0, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 3.7, "exploitabilityScore": 1.8}]}, "published": "2025-02-24T15:15:13.393", "references": [{"url": "https://workos.com/security/advisories", "source": "[email protected]"}, {"url": "https://www.authkit.com", "source": "[email protected]"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-305"}]}], "descriptions": [{"lang": "en", "value": "WorkOS Hosted AuthKit before 2025-01-07 allows a password authentication MFA bypass (by enrolling a new authentication factor) when the attacker knows the user's password. No exploitation occurred."}, {"lang": "es", "value": " WorkOS Hosted AuthKit anterior al 7 de enero de 2025 permite omitir la autenticaci\u00f3n de contrase\u00f1as mediante MFA (mediante el registro de un nuevo factor de autenticaci\u00f3n) cuando el atacante conoce la contrase\u00f1a del usuario. No se produjo ninguna explotaci\u00f3n."}], "lastModified": "2025-02-24T16:15:14.420", "sourceIdentifier": "[email protected]"}