Fixing CVE-2022-42731

2022-10-10 17:07:01 +03:00
3 changed files with 5 additions and 2 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,4 +1,7 @@
 # Change Log
+## 2.5.1
+* Fix: CVE-2022-42731: related to possibility of registration replay attack thanks to 'SSE (Secure Systems Engineering)' 
+   
 ## 2.5.0

   * Fixed: issue in the 'Authorize' button don't show on Firefox and Chrome on iOS.
--- a/mfa/FIDO2.py
+++ b/mfa/FIDO2.py
@@ -57,7 +57,7 @@ def complete_reg(request):
        att_obj = AttestationObject((data['attestationObject']))
        server = getServer()
        auth_data = server.register_complete(
-            request.session.pop('fido_state'),
+            request.session.pop['fido_state'],
            client_data,
            att_obj
        )
--- a/setup.py
+++ b/setup.py
@@ -4,7 +4,7 @@ from setuptools import find_packages, setup

 setup(
    name='django-mfa2',
-    version='2.5.0',
+    version='2.5.1',
    description='Allows user to add 2FA to their accounts',
    long_description=open("README.md").read(),
    long_description_content_type="text/markdown",