CVE-2022-45168: 
Linux Alpine vulnerability analysis and mitigation

A Two-Factor Authentication bypass vulnerability was discovered in LIVEBOX Collaboration vDesk through v018. The vulnerability exists under the /login/backup_code endpoint and the /api/v1/vdeskintegration/createbackupcodes endpoint, where the application allows users to generate or regenerate backup codes before verifying the TOTP (Time-based One-Time Password) (NVD).

The vulnerability stems from an improper authentication implementation where the application fails to enforce proper verification order in the two-factor authentication process. Specifically, the application allows the generation or regeneration of backup codes before validating the TOTP authentication step. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N, indicating network accessibility with low attack complexity (NVD).

The vulnerability allows an attacker with valid user credentials to bypass the two-factor authentication mechanism by manipulating the backup code generation process. This could lead to unauthorized access to user accounts that have 2FA enabled, compromising the security of the authentication system (NVD).

The vulnerability affects LIVEBOX Collaboration vDesk through version 018. Users should update to a patched version when available. In the meantime, organizations should monitor for suspicious authentication attempts and consider implementing additional security controls around the 2FA process (NVD).