CVE-2022-45174: 
Linux Alpine vulnerability analysis and mitigation

An issue was discovered in LIVEBOX Collaboration vDesk through v018 that allows bypass of Two-Factor Authentication for SAML Users. The vulnerability exists under the /login/backup_code endpoint and the /api/v1/vdeskintegration/challenge endpoint, where the correctness of the TOTP is not checked properly and can be bypassed by passing any string as the backup code (NVD).

The vulnerability has been assigned a CVSS v3.1 Base Score of 9.8 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The issue is classified under CWE-287 (Improper Authentication). The vulnerability affects LIVEBOX Collaboration vDesk versions up to and including v018 (NVD).

The vulnerability allows attackers to bypass Two-Factor Authentication mechanisms, potentially gaining unauthorized access to user accounts. This could lead to complete compromise of user accounts protected by TOTP-based 2FA, as the authentication mechanism can be circumvented by providing any arbitrary string as a backup code (NVD).

Users should upgrade to a version newer than v018 once a patch is available. In the meantime, organizations should consider implementing additional security controls or authentication mechanisms to protect sensitive resources (NVD).