Login Sign Up

CVE-2023-49075

8.4 HIGH
Authentication Bypass

📋 TL;DR

This vulnerability in Pimcore's Admin Classic Bundle disables two-factor authentication for non-admin security firewalls, allowing authenticated users to bypass 2FA requirements. It affects systems using the Admin Classic Bundle for Pimcore backend management. The issue was introduced in version 11 and fixed in version 1.2.2.

💻 Affected Systems

Products:
  • Pimcore Admin Classic Bundle
Versions: Version 11 through versions before 1.2.2
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems using the Admin Classic Bundle with non-admin security firewalls configured.

📦 What is this software?

Admin Classic Bundle by Pimcore

View all CVEs affecting Admin Classic Bundle →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers with valid credentials can bypass 2FA entirely, gaining unauthorized access to sensitive administrative functions and potentially compromising the entire Pimcore instance.

🟠

Likely Case

Authenticated users (including lower-privileged accounts) can access systems without completing 2FA, potentially accessing data or functions beyond their intended permissions.

🟢

If Mitigated

With proper network segmentation and strong credential policies, impact is limited to specific administrative interfaces rather than full system compromise.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires valid user credentials but no special tools or knowledge beyond normal authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.2.2

Vendor Advisory: https://github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-9wwg-r3c7-4vfg

Restart Required: Yes

Instructions:

1. Update Admin Classic Bundle to version 1.2.2 via Composer: composer update pimcore/admin-ui-classic-bundle
2. Clear Symfony cache: php bin/console cache:clear
3. Restart web server services

🔧 Temporary Workarounds

Disable non-admin firewalls

all

Temporarily disable non-admin security firewalls to force all users through admin firewall with 2FA

Modify security.yaml to comment out or remove non-admin firewall configurations

🧯 If You Can't Patch

  • Implement network-level access controls to restrict access to Pimcore admin interfaces
  • Enforce strict credential policies and monitor for unusual authentication patterns

🔍 How to Verify

Check if Vulnerable:

Check Admin Classic Bundle version via Composer: composer show pimcore/admin-ui-classic-bundle | grep version

Check Version:

composer show pimcore/admin-ui-classic-bundle | grep version

Verify Fix Applied:

Verify version is 1.2.2 or higher and test 2FA enforcement for non-admin users

📡 Detection & Monitoring

Log Indicators:

  • Authentication logs showing successful login without 2FA completion for non-admin users
  • Access to admin functions from non-admin user accounts

Network Indicators:

  • Unusual authentication patterns from non-admin accounts
  • Access to administrative endpoints without expected 2FA delays

SIEM Query:

source="pimcore" (event="authentication_success" AND NOT event="2fa_completed") AND user_role!="admin"

📊 Metadata

CVE ID: CVE-2023-49075
CVSS v3 Score: 8.4 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
CWE: CWE-308
Published: November 28, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-49075, you might also want to check these:

CVE-2024-50618 4.3

CVE-2024-50618 is an authentication bypass vulnerability in CIPPlanner CIPAce software where attacke...

Same vulnerability type (CWE-308)