{"id":"CVE-2022-42731","details":"mfa/FIDO2.py in django-mfa2 before 2.5.1 and 2.6.x before 2.6.1 allows a replay attack that could be used to register another device for a user. The device registration challenge is not invalidated after usage.","aliases":["GHSA-vw39-2wj9-4q86","PYSEC-2022-303"],"modified":"2026-04-10T04:52:11.592337Z","published":"2022-10-11T14:15:10.053Z","references":[{"type":"ADVISORY","url":"https://github.com/mkalioby/django-mfa2/releases/tag/v2.5.1-release"},{"type":"ADVISORY","url":"https://github.com/mkalioby/django-mfa2/releases/tag/v2.6.1-release"},{"type":"EVIDENCE","url":"https://github.com/mkalioby/django-mfa2/blob/0936ea253354dd95cb127f09d0efa31324caef27/mfa/FIDO2.py#L58"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/mkalioby/django-mfa2","events":[{"introduced":"0"},{"fixed":"84b9d297d21170eab89b73dcb25f9ea7dcc64b82"},{"introduced":"4903967c23e7dc515090c26bcacec2b64d8dbe9d"},{"fixed":"2d7b80bf5a7b67816dbf57af2b7ae33347b24d5f"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2.5.1"},{"introduced":"2.6.0"},{"fixed":"2.6.1"}]}}],"versions":["0.9","v1.1.6","v1.3","v1.7.11","v1.9","v2.0","v2.0.1","v2.0.3","v2.0.5","v2.2.0","v2.3.0","v2.4.0","v2.6.0-release"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-42731.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}