Please provide clarification about 4.6.0 security vulnerability

Hi,

it was possible to gain access to any account on a server running Nginx, where the login is known and two-factor authentication is disabled and if the user could be tricked into doing some specific action.

I’m trying to understand this sentence better, which uses ‘account’ and ‘login’ and ‘user’ all in the one sentence. Can anyone please confirm if the below is accurate?

‘any account on a server running Nginx’ refers to Matomo user accounts, not UNIX accounts on the server?

‘where the login is known’ - does ‘login’ here refer to the same as above, that is, the Matomo username?

‘the user could be tricked into doing some specific action’ - so that’s the same Matomo account, with a user logged into it in an active session, being tricked into going to a crafted Matomo URL sent to them by the attacker?

In other words: “it was possible to gain access to any Matomo account on a server running Nginx, where that Matomo account’s username is known to the attacker, and two-factor authentication is disabled on that target account, and if the user currently logged into that Matomo account could be tricked into doing some specific action.”

?

Thanks…

Hi mig5 thanks for pointing this out, we have made it a bit clearer on the changelog now with this statement

We fixed an issue where it was possible to gain access to any Matomo user account on a server running Nginx, where the Matomo user login is known and two-factor authentication is disabled and if the Matomo user could be tricked into doing some specific action. It is strongly recommended to use two-factor authentication for the safety of your account.

Hopefully that answers your questions, but in summary yes your guesses are correct - we are referring to Matomo accounts, users and login rather than the server/OS.

Hi, is Matomo 3.14 impacted by the vulnerability ?