x/vulndb: potential Go vuln in github.com/ory/kratos: GHSA-wc43-73w7-x2f5

[GoVulnBot]

Advisory GHSA-wc43-73w7-x2f5 references a vulnerability in the following Go modules:

Module
github.com/ory/kratos

Description:

Preconditions

• The code login method is enabled with the passwordless_enabled flag set to true .
• A 2FA method such as totp is enabled.
• required_aal of the whomai check or the settings flow is set to highest_available. AAL stands for Authenticator Assurance Levels and can range from 0 (no factor) to 2 (two factors).
• A user uses the code method as the only login method available. They do not have a password or any other first factor credential enabled.
• The user has 2FA enabled.
• The user’s available_aal is incorrectly stored in the database as aal1 or aal0...

References:

• ADVISORY: GHSA-wc43-73w7-x2f5
• ADVISORY: GHSA-wc43-73w7-x2f5

No existing reports found with this module or alias.
See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/ory/kratos
      non_go_versions:
        - introduced: TODO (earliest fixed "1.3.0", vuln range "<= 1.2.0")
      vulnerable_at: 1.3.0
summary: |-
    Ory Kratos's setting required_aal `highest_available` does not properly respect
    code + mfa credentials in github.com/ory/kratos
cves:
    - CVE-2024-45042
ghsas:
    - GHSA-wc43-73w7-x2f5
references:
    - advisory: https://github.com/advisories/GHSA-wc43-73w7-x2f5
    - advisory: https://github.com/ory/kratos/security/advisories/GHSA-wc43-73w7-x2f5
source:
    id: GHSA-wc43-73w7-x2f5
    created: 2024-09-26T18:01:17.514237426Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/616060 mentions this issue: data/reports: add 11 unreviewed reports