Critical Vulnerability in Mura CMS < 10.0.580 and Masa CMS < 7.3.10
406 views
Skip to first unread message
Brian Reilly
Jan 9, 2023, 1:44:34 PM1/9/23
to Mura Digital Experience Platform
Hi all-
Starting a new thread on this, to raise awareness and get vulnerable environments patched. Mura CMS < 10.0.580 and Masa CMS < 7.3.10 are affected by a critical authentication bypass vulnerability. Patch this one now. Vulnerability details will be disclosed on March 6.
If you're running older versions of Mura, your best options are to either:
-Migrate to Masa CMS >= 7.3.10
-Contact Blueriver/Mura Software re: patch/upgrade options.
It was my understanding that a patch was going to be made freely available by Mura Software, but based on the conversation here: https://groups.google.com/g/mura-cms-developers/c/MpjNlYcs1MI it sounds like that may not be the case. The Mura CMS patch for this should be identical/very similar to the Masa CMS patch:
Regards,
Brian
matthew....@gmail.com
Jan 9, 2023, 2:07:42 PM1/9/23
to Mura Digital Experience Platform
Brian,
Thank you for this. Is there a support channel / group for users seeking information to upgrade from MuraCMS Version 7.1.440 to the latest version of MasaCMS?
Matthew
Vincent de Winter
Jan 9, 2023, 2:31:23 PM1/9/23
to Mura Digital Experience Platform
Hi Matthew,
Valid question regarding the online channel / group. We do not have a dedicated Google Group or channel. We simply not did get to it to do it. For now - in case of questions - please drop them on the https://github.com/MasaCMS/MasaCMS/discussions we will monitor it. Or reach out directly via email vin...@wearenorth.eu
Regards
Vincent
Tracey Abrams
Jan 9, 2023, 3:07:57 PM1/9/23
to mura-cms-...@googlegroups.com
If you need help let me know, always around d to lend a hand to those migrating.
--
You received this message because you are subscribed to the Google Groups "Mura Digital Experience Platform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mura-cms-develo...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/mura-cms-developers/3854c07c-0258-487a-9eb1-55b56224e378n%40googlegroups.com.
Matt Levine
Jan 11, 2023, 4:45:51 PM1/11/23
to mura-cms-...@googlegroups.com
I’d like to publicly thank Brian for bringing this issue to our attention. Without him we’d still not be aware of it. We misstated in an email to our clients that we discovered it. We did not, we provided the patch.
Sorry to Brian for any confusion, the credit should go were is is deserved and you deserve a ton of credit for your effort.
-Matt Levine
Blueriver
--
You received this message because you are subscribed to the Google Groups "Mura Digital Experience Platform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mura-cms-develo...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/mura-cms-developers/1e66a73b-9bbe-4cda-8440-6aa893f17d79n%40googlegroups.com.
Brian Reilly
Jan 12, 2023, 5:46:15 PM1/12/23
to Mura Digital Experience Platform
Thank you, Matt.
Brian Reilly
Mar 6, 2023, 8:11:36 AM3/6/23
to Mura Digital Experience Platform
I released the full advisory on the Mura CMS / Masa CMS authentication bypass vulnerability (CVE-2022-47003 / CVE-2022-47002) today - https://hoyahaxa.blogspot.com/2023/03/authentication-bypass-mura-masa.html. In addition to technical details about the vulnerability, I also share some thoughts on quick fixes for sites running older, unsupported open source Mura CMS that can't immediately migrate to Masa CMS.
Brian
Reply all
Reply to author
Forward
0 new messages