2FA Bypass in Cockpit Content Platform ≤ v2.2.1 in cockpit-hq/cockpit


Reported on

Aug 11th 2022


2FA secret is disclosed in JWT token after user logs into his account in Cockpit Content Platform ≤ v2.2.1 allowing attacker to bypass the 2FA code.

Proof of Concept

1.Login with your admin account and enable 2FA in your account and logout.

2.Go to http://yourserver.com/cockpit221/auth/login and enter your username and password and intercept the request in BurpSuite or Owasp Zap.

3.Now, Click perform following action "Right click > Do intercept > Response to this request" and forward the request.

4.Now you will get a response like this from http://yourserver.com/cockpit221/auth/check.

HTTP/1.0 200 OK

Date: Thu, 11 Aug 2022 11:24:32 GMT

Server: Apache/2.4.53 (Unix) OpenSSL/1.1.1o PHP/8.1.6 mod_perl/2.0.12 Perl/v5.34.1

X-Powered-By: PHP/8.1.6

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate

Pragma: no-cache

Vary: Accept-Encoding

Content-Length: 520

Connection: close

Content-Type: application/json


5.Now, copy the payload of JWT token and decode it. The structure of JWT token is like this header.payload.signature .

6.Decode the payload. You will notice that the Authentication Secret token is disclosed in the payload JWT token.

7.Copy the Authenticator Secret token and provide it to Google Authenticator . @2FA is bypassed.

8.Attacker can exploit this vulnerability to bypass 2FA.

Proof Of Concept Video : https://drive.google.com/file/d/1rKCtY5W7XyIuApHtVAdWOusHJpw8b8OF/view?usp=sharing


Account Takeover

We are processing your report and will contact the cockpit-hq/cockpit team within 24 hours. a year ago
A GitHub Issue asking the maintainers to create a SECURITY.md exists a year ago
We have contacted a member of the cockpit-hq/cockpit team and are waiting to hear back a year ago
a year ago


Hi 👋 One question. You said that the attacker would decode the JWT payload. But how would the attacker know the secret to decode the payload?

Cheers Artur

a year ago


Ahh, my bad. Yes, that needs to be fixed 👍

Artur validated this vulnerability a year ago

Fix is on the way

Suvam Adhikari has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Artur marked this as fixed in 2.2.2 with commit 4bee1b a year ago
Artur has been awarded the fix bounty
This vulnerability will not receive a CVE
Artur gave praise a year ago
Thank you very much for reporting 🙏
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
Suvam Adhikari
a year ago


Hi @maintainer ,

Thanks for quick fix. May I know when will the next release be published?

Kind Regards, @whoisshuvam

a year ago


v2.2.2 is planned for Monday (2022-08-15)

Suvam Adhikari
a year ago


Hi @admin ,

Can you make the report private. The new release v2.2.2 will be made on Monday. Hi @maintainer , I would be glad if you could approve for CVE.

Kind Regards, @whoisshuvam

a year ago


approved 👍

Suvam Adhikari
a year ago


Hi @admin,

Can you please assign an CVE for this vulnerability 😇 since its approved by maintainer and fix has been deployed.

Kind Regards, Suvam

Jamie Slome
a year ago


Sorted 👍

to join this conversation