CVE-2021-28373 – The auth_internal plugin in Tiny Tiny RSS (tt-r... (How to Fix)

Q: What is the severity of CVE-2021-28373?

CVE-2021-28373 has a CVSS score of 7.5 (HIGH). The auth_internal plugin in Tiny Tiny RSS (tt-rss) before March 12, 2021 allows attackers to log in using only a valid OTP (one-time password) code without requiring the correct password. This authentication bypass affects users who have enabled two-factor authentication (2FA) and are running the git master branch in production, which is explicitly recommended by the project.

📋 TL;DR

The auth_internal plugin in Tiny Tiny RSS (tt-rss) before March 12, 2021 allows attackers to log in using only a valid OTP (one-time password) code without requiring the correct password. This authentication bypass affects users who have enabled two-factor authentication (2FA) and are running the git master branch in production, which is explicitly recommended by the project.

💻 Affected Systems

Products:

Tiny Tiny RSS (tt-rss)

Versions: Git master branch before commit 4949e1a59059d9e72ba7a98f783cec312c06c6d2 (March 12, 2021)

Operating Systems: All

Default Config Vulnerable: ✅ No

Notes: Only affects installations with OTP/2FA enabled. The vulnerability existed only in the git master branch, but all production users are directed to use this branch. Semantic version numbers (like 21.03) are automatically generated and not actual releases.

📦 What is this software?

Tiny Tiny Rss by Tt Rss

View all CVEs affecting Tiny Tiny Rss →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers with knowledge of a valid username can bypass authentication entirely and gain unauthorized access to RSS feeds, user data, and potentially administrative functions if the compromised account has elevated privileges.

🟠

Likely Case

Unauthorized access to user RSS feeds and personal data, potentially leading to information disclosure or account takeover.

🟢

If Mitigated

With proper network segmentation and access controls, impact is limited to the tt-rss application itself rather than broader network compromise.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires knowledge of a valid username and ability to obtain or guess OTP codes. No public exploit code has been released, but the vulnerability is straightforward to exploit.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Git commit 4949e1a59059d9e72ba7a98f783cec312c06c6d2 and later

Vendor Advisory: https://community.tt-rss.org/t/check-password-not-called-if-otp-is-enabled-update-asap-if-youre-using-2fa/4502

Restart Required: No

Instructions:

1. Navigate to your tt-rss installation directory. 2. Run: git pull origin master. 3. Verify the commit hash includes 4949e1a59059d9e72ba7a98f783cec312c06c6d2 or later.

🔧 Temporary Workarounds

Disable OTP/2FA

all

Temporarily disable two-factor authentication until the patch can be applied

Restrict Access

all

Implement IP whitelisting or VPN access to limit who can reach the tt-rss login interface

🧯 If You Can't Patch

Disable OTP/2FA for all users immediately
Implement network-level access controls to restrict tt-rss access to trusted IPs only

🔍 How to Verify

Check if Vulnerable:

Check if your tt-rss installation is using a commit before 4949e1a59059d9e72ba7a98f783cec312c06c6d2 by running: git log --oneline -1

Check Version:

git log --oneline -1

Verify Fix Applied:

Verify your installation includes commit 4949e1a59059d9e72ba7a98f783cec312c06c6d2 or later: git log --oneline | grep 4949e1a

📡 Detection & Monitoring

Log Indicators:

Successful logins without corresponding password validation
Multiple failed OTP attempts followed by successful login
Logins from unusual IP addresses or locations

Network Indicators:

Authentication requests containing OTP codes without password parameters
Unusual authentication patterns to /backend.php endpoint

SIEM Query:

source="tt-rss" AND (event="login_success" AND NOT event="password_validation")

📊 Metadata

CVE ID: CVE-2021-28373

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-863

Published: March 13, 2021

Last Updated: November 21, 2024

🔗 References

https://community.tt-rss.org/t/check-password-not-called-if-otp-is-enabled-update-asap-if-youre-using-2fa/4502 Issue Tracking,Patch,Vendor Advisory
https://git.tt-rss.org/fox/tt-rss/commit/4949e1a59059d9e72ba7a98f783cec312c06c6d2 Patch,Third Party Advisory
https://community.tt-rss.org/t/check-password-not-called-if-otp-is-enabled-update-asap-if-youre-using-2fa/4502 Issue Tracking,Patch,Vendor Advisory
https://git.tt-rss.org/fox/tt-rss/commit/4949e1a59059d9e72ba7a98f783cec312c06c6d2 Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-28373, you might also want to check these: