CWE-307
AllowedImproper Restriction of Excessive Authentication Attempts
Abstraction: Base · Status: Draft
The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.
900 vulnerabilities reference this CWE, most recent first.
GHSA-WQ58-62G3-92FC
Vulnerability from github – Published: 2023-07-12 18:30 – Updated: 2024-04-04 06:04Adobe ColdFusion versions 2018u16 (and earlier), 2021u6 (and earlier) and 2023.0.0.330468 (and earlier) are affected by an Improper Restriction of Excessive Authentication Attempts vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to impact the confidentiality of the user. Exploitation of this issue does not require user interaction.
{
"affected": [],
"aliases": [
"CVE-2023-29301"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-12T16:15:11Z",
"severity": "HIGH"
},
"details": "Adobe ColdFusion versions 2018u16 (and earlier), 2021u6 (and earlier) and 2023.0.0.330468 (and earlier) are affected by an Improper Restriction of Excessive Authentication Attempts vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to impact the confidentiality of the user. Exploitation of this issue does not require user interaction.",
"id": "GHSA-wq58-62g3-92fc",
"modified": "2024-04-04T06:04:25Z",
"published": "2023-07-12T18:30:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29301"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/coldfusion/apsb23-40.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WWHP-85CV-F9CJ
Vulnerability from github – Published: 2025-07-03 12:34 – Updated: 2025-07-03 12:34The SMB server's login mechanism does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it susceptible to brute-force attacks.
{
"affected": [],
"aliases": [
"CVE-2025-27456"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-03T12:15:23Z",
"severity": "HIGH"
},
"details": "The SMB server\u0027s login mechanism does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it susceptible to brute-force attacks.",
"id": "GHSA-wwhp-85cv-f9cj",
"modified": "2025-07-03T12:34:58Z",
"published": "2025-07-03T12:34:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27456"
},
{
"type": "WEB",
"url": "https://sick.com/psirt"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices"
},
{
"type": "WEB",
"url": "https://www.endress.com"
},
{
"type": "WEB",
"url": "https://www.first.org/cvss/calculator/3.1"
},
{
"type": "WEB",
"url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0008.json"
},
{
"type": "WEB",
"url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0008.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WWRJ-3HVJ-PRPM
Vulnerability from github – Published: 2025-12-15 20:59 – Updated: 2026-01-06 22:41Summary
When using an untrusted reverse proxy or not using a reverse proxy at all, attackers can bypass IP rate limiting by adding a forged X-Forwarded-For header. Starting with version 2025.9.1, an option (trustProxy) has been added in config file to prevent this from happening. However, it is initialized with an insecure default value before version 2025.12.0, making it still vulnerable if the configuration is not set correctly.
Workaround
If you are running Misskey with a trusted reverse proxy, you should not be affected by this vulnerability.
- There is no workaround for the Misskey itself. Please update Misskey to the latest version or set up a trusted reverse proxy.
- From v2025.9.1 to v2025.11.1, workaround is available. Set
trustProxy: falsein config file. - This is patched in v2025.12.0 by flipping default value of
trustProxytofalse. If you are using trusted reverse proxy and not remember you manually overrided this value, please take time to check your config for optimal behavior.
Details
Fastify recommend not trusting X-Forwarded-For IPs Due to misconfiguration in https://github.com/misskey-dev/misskey/blob/develop/packages/backend/src/server/api/SigninApiService.ts#L94 attacks can spoof their IPs.
PoC
POST /api/signin-flow HTTP/1.1
Host: misskey.localhost:3123
Content-Length: 45
Content-Type: application/json
Connection: keep-alive
X-Forwarded-For: 127.1.1.31, 1.1.1.12
{"username":"admin",
"password":"password"}
Impact
An attacker can brute force accounts bypassing rate limiting protection.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "misskey-js"
},
"ranges": [
{
"events": [
{
"introduced": "2025.9.1"
},
{
"fixed": "2025.12.0-alpha.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-66482"
],
"database_specific": {
"cwe_ids": [
"CWE-1188",
"CWE-307"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-15T20:59:59Z",
"nvd_published_at": "2025-12-16T00:16:02Z",
"severity": "MODERATE"
},
"details": "### Summary\nWhen using an untrusted reverse proxy or not using a reverse proxy at all, attackers can bypass IP rate limiting by adding a forged X-Forwarded-For header. Starting with version 2025.9.1, an option (`trustProxy`) has been added in config file to prevent this from happening. However, it is initialized with an insecure default value before version 2025.12.0, making it still vulnerable if the configuration is not set correctly.\n\n### Workaround\n\nIf you are running Misskey with a trusted reverse proxy, you should *not* be affected by this vulnerability.\n\n- There is no workaround for the Misskey itself. Please update Misskey to the latest version or set up a trusted reverse proxy.\n- From v2025.9.1 to v2025.11.1, workaround is available. Set `trustProxy: false` in config file.\n- This is patched in v2025.12.0 by flipping default value of `trustProxy` to `false`. If you are using trusted reverse proxy and not remember you manually overrided this value, please take time to check your config for optimal behavior.\n\n### Details\n[Fastify recommend not trusting X-Forwarded-For IPs](https://fastify.dev/docs/latest/Reference/Server/#trustproxy)\nDue to misconfiguration in https://github.com/misskey-dev/misskey/blob/develop/packages/backend/src/server/api/SigninApiService.ts#L94 attacks can spoof their IPs.\n\n### PoC\n\n```\nPOST /api/signin-flow HTTP/1.1\nHost: misskey.localhost:3123\nContent-Length: 45\nContent-Type: application/json\nConnection: keep-alive\nX-Forwarded-For: 127.1.1.31, 1.1.1.12\n\n{\"username\":\"admin\",\n\t\"password\":\"password\"}\n```\n\n\n\n### Impact\nAn attacker can brute force accounts bypassing rate limiting protection.",
"id": "GHSA-wwrj-3hvj-prpm",
"modified": "2026-01-06T22:41:27Z",
"published": "2025-12-15T20:59:59Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-wwrj-3hvj-prpm"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66482"
},
{
"type": "WEB",
"url": "https://github.com/misskey-dev/misskey/commit/5512898463fa8487b9e6488912f35102b91f25f7"
},
{
"type": "PACKAGE",
"url": "https://github.com/misskey-dev/misskey"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Misskey has a login rate limit bypass via spoofed X-Forwarded-For header"
}
GHSA-WWW3-95VV-VGX8
Vulnerability from github – Published: 2022-05-17 02:58 – Updated: 2022-05-17 02:58An issue was discovered in Moxa NPort 5110 versions prior to 2.6, NPort 5130/5150 Series versions prior to 3.6, NPort 5200 Series versions prior to 2.8, NPort 5400 Series versions prior to 3.11, NPort 5600 Series versions prior to 3.7, NPort 5100A Series & NPort P5150A versions prior to 1.3, NPort 5200A Series versions prior to 1.3, NPort 5150AI-M12 Series versions prior to 1.2, NPort 5250AI-M12 Series versions prior to 1.2, NPort 5450AI-M12 Series versions prior to 1.2, NPort 5600-8-DT Series versions prior to 2.4, NPort 5600-8-DTL Series versions prior to 2.4, NPort 6x50 Series versions prior to 1.13.11, NPort IA5450A versions prior to v1.4. Administration passwords can be retried without authenticating.
{
"affected": [],
"aliases": [
"CVE-2016-9361"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-02-13T21:59:00Z",
"severity": "CRITICAL"
},
"details": "An issue was discovered in Moxa NPort 5110 versions prior to 2.6, NPort 5130/5150 Series versions prior to 3.6, NPort 5200 Series versions prior to 2.8, NPort 5400 Series versions prior to 3.11, NPort 5600 Series versions prior to 3.7, NPort 5100A Series \u0026 NPort P5150A versions prior to 1.3, NPort 5200A Series versions prior to 1.3, NPort 5150AI-M12 Series versions prior to 1.2, NPort 5250AI-M12 Series versions prior to 1.2, NPort 5450AI-M12 Series versions prior to 1.2, NPort 5600-8-DT Series versions prior to 2.4, NPort 5600-8-DTL Series versions prior to 2.4, NPort 6x50 Series versions prior to 1.13.11, NPort IA5450A versions prior to v1.4. Administration passwords can be retried without authenticating.",
"id": "GHSA-www3-95vv-vgx8",
"modified": "2022-05-17T02:58:45Z",
"published": "2022-05-17T02:58:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-9361"
},
{
"type": "WEB",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-16-336-02"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/85965"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WWW5-6JRX-9MWQ
Vulnerability from github – Published: 2024-10-01 15:32 – Updated: 2024-10-01 18:31A vulnerability in Kaiten version 57.131.12 and earlier allows attackers to bypass the PIN code authentication mechanism. The application requires users to input a 6-digit PIN code sent to their email for authorization after entering their login credentials. However, the request limiting mechanism can be easily bypassed, enabling attackers to perform a brute force attack to guess the correct PIN and gain unauthorized access to the application.
{
"affected": [],
"aliases": [
"CVE-2024-41276"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-01T14:15:05Z",
"severity": "CRITICAL"
},
"details": "A vulnerability in Kaiten version 57.131.12 and earlier allows attackers to bypass the PIN code authentication mechanism. The application requires users to input a 6-digit PIN code sent to their email for authorization after entering their login credentials. However, the request limiting mechanism can be easily bypassed, enabling attackers to perform a brute force attack to guess the correct PIN and gain unauthorized access to the application.",
"id": "GHSA-www5-6jrx-9mwq",
"modified": "2024-10-01T18:31:18Z",
"published": "2024-10-01T15:32:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41276"
},
{
"type": "WEB",
"url": "https://github.com/artemy-ccrsky/CVE-2024-41276"
},
{
"type": "WEB",
"url": "https://kaiten.ru"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WX6J-WW2H-4PFW
Vulnerability from github – Published: 2023-10-31 18:31 – Updated: 2023-11-08 18:30A lack of rate limiting in Elenos ETG150 FM transmitter v3.12 allows attackers to obtain user credentials via brute force and cause other unspecified impacts.
{
"affected": [],
"aliases": [
"CVE-2023-37832"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-31T18:15:08Z",
"severity": "HIGH"
},
"details": "A lack of rate limiting in Elenos ETG150 FM transmitter v3.12 allows attackers to obtain user credentials via brute force and cause other unspecified impacts.",
"id": "GHSA-wx6j-ww2h-4pfw",
"modified": "2023-11-08T18:30:31Z",
"published": "2023-10-31T18:31:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37832"
},
{
"type": "WEB",
"url": "https://github.com/strik3r0x1/Vulns/blob/main/Lack%20of%20resources%20and%20rate%20limiting%20-%20Elenos.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-X2CC-CQCM-PM2J
Vulnerability from github – Published: 2026-01-08 18:30 – Updated: 2026-01-08 18:30An issue in GL Inet GL.Inet AX1800 Version 4.6.4 & 4.6.8 are vulnerable. GL.Inet AX1800 Version 4.6.4 & 4.6.8 in the GL.iNet custom opkg wrapper script located at /usr/libexec/opkg-call. The script is executed with root privileges when triggered via the LuCI web interface or authenticated API calls to manage packages. The vulnerable code uses shell redirection to create a lock file in the world-writable /tmp directory.
{
"affected": [],
"aliases": [
"CVE-2025-67091"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-08T16:15:45Z",
"severity": "MODERATE"
},
"details": "An issue in GL Inet GL.Inet AX1800 Version 4.6.4 \u0026 4.6.8 are vulnerable. GL.Inet AX1800 Version 4.6.4 \u0026 4.6.8 in the GL.iNet custom opkg wrapper script located at /usr/libexec/opkg-call. The script is executed with root privileges when triggered via the LuCI web interface or authenticated API calls to manage packages. The vulnerable code uses shell redirection to create a lock file in the world-writable /tmp directory.",
"id": "GHSA-x2cc-cqcm-pm2j",
"modified": "2026-01-08T18:30:49Z",
"published": "2026-01-08T18:30:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67091"
},
{
"type": "WEB",
"url": "https://aleksazatezalo.medium.com/critical-authentication-bypass-vulnerability-in-gl-inet-gl-axt1800-router-firmware-f19442ca721d"
},
{
"type": "WEB",
"url": "https://aleksazatezalo.medium.com/critical-command-injection-vulnerability-in-gl-inet-gl-axt1800-router-firmware-e6d67d81ee51?postPublishedType=repub"
},
{
"type": "WEB",
"url": "https://www.gl-inet.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-X2J4-7CP7-CFF7
Vulnerability from github – Published: 2022-07-01 00:01 – Updated: 2022-07-09 00:00While a user account for the IBM Spectrum Protect Server 8.1.0.000 through 8.1.14 is being established, it may be configured to use SESSIONSECURITY=TRANSITIONAL. While in this mode, it may be susceptible to an offline dictionary attack. IBM X-Force ID: 226942.
{
"affected": [],
"aliases": [
"CVE-2022-22496"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-06-30T17:15:00Z",
"severity": "MODERATE"
},
"details": "While a user account for the IBM Spectrum Protect Server 8.1.0.000 through 8.1.14 is being established, it may be configured to use SESSIONSECURITY=TRANSITIONAL. While in this mode, it may be susceptible to an offline dictionary attack. IBM X-Force ID: 226942.",
"id": "GHSA-x2j4-7cp7-cff7",
"modified": "2022-07-09T00:00:25Z",
"published": "2022-07-01T00:01:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22496"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/226942"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6596881"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-X32M-MVFJ-52XV
Vulnerability from github – Published: 2024-03-18 17:21 – Updated: 2025-01-09 18:51Summary
An attacker can exploit a chain of vulnerabilities, including a Denial of Service (DoS) flaw and in-memory data storage weakness, to effectively bypass the application's brute force login protection. This makes the application susceptible to brute force attacks, compromising the security of all user accounts.
Details
The issue arises from two main vulnerabilities:
- The application crashes due to a previously described DoS vulnerability caused by unsafe array modifications in a multi-threaded environment.
- The application saves the data of failed login attempts in-memory, without persistent storage. When the application crashes and restarts, this data is lost, resetting the brute force protections.
// LoginAttempts is a timestamped counter for failed login attempts
type LoginAttempts struct {
// Time of the last failed login LastFailed time.Time `json:"lastFailed"` // Number of consecutive login failures FailCount int `json:"failCount"`
}
By chaining these vulnerabilities, an attacker can circumvent the limitations placed on the number of login attempts.
PoC
- Run the provided PoC script.
- Observe that the script makes 6 login attempts, one more than the set limit of 5 failed attempts.
- This is made possible because the script triggers a server restart via the DoS vulnerability after 5 failed attempts, thus resetting the counter for failed login attempts.
Impact
This is a critical security vulnerability that allows attackers to bypass the brute force login protection mechanism. Not only can they crash the service affecting all users, but they can also make unlimited login attempts, increasing the risk of account compromise.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/argoproj/argo-cd/v2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.8.13"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/argoproj/argo-cd/v2"
},
"ranges": [
{
"events": [
{
"introduced": "2.9.0"
},
{
"fixed": "2.9.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/argoproj/argo-cd/v2"
},
"ranges": [
{
"events": [
{
"introduced": "2.10.0"
},
{
"fixed": "2.10.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-21652"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": true,
"github_reviewed_at": "2024-03-18T17:21:17Z",
"nvd_published_at": "2024-03-18T18:15:09Z",
"severity": "CRITICAL"
},
"details": "### Summary\nAn attacker can exploit a chain of vulnerabilities, including a Denial of Service (DoS) flaw and in-memory data storage weakness, to effectively bypass the application\u0027s brute force login protection. This makes the application susceptible to brute force attacks, compromising the security of all user accounts.\n\n### Details\nThe issue arises from two main vulnerabilities:\n\n1. The application crashes due to a previously described DoS vulnerability caused by unsafe array modifications in a multi-threaded environment.\n2. The application saves the data of failed login attempts in-memory, without persistent storage. When the application crashes and restarts, this data is lost, resetting the brute force protections.\n\n```go\n// LoginAttempts is a timestamped counter for failed login attempts\n\ntype LoginAttempts struct { \n// Time of the last failed login LastFailed time.Time `json:\"lastFailed\"` // Number of consecutive login failures FailCount int `json:\"failCount\"`\n\n}\n```\n\nBy chaining these vulnerabilities, an attacker can circumvent the limitations placed on the number of login attempts.\n\n### PoC\n1. Run the provided PoC script.\n2. Observe that the script makes 6 login attempts, one more than the set limit of 5 failed attempts.\n3. This is made possible because the script triggers a server restart via the DoS vulnerability after 5 failed attempts, thus resetting the counter for failed login attempts.\n\n### Impact\nThis is a critical security vulnerability that allows attackers to bypass the brute force login protection mechanism. Not only can they crash the service affecting all users, but they can also make unlimited login attempts, increasing the risk of account compromise.\n",
"id": "GHSA-x32m-mvfj-52xv",
"modified": "2025-01-09T18:51:54Z",
"published": "2024-03-18T17:21:17Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-x32m-mvfj-52xv"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21652"
},
{
"type": "WEB",
"url": "https://github.com/argoproj/argo-cd/commit/17b0df1168a4c535f6f37e95f25ed7cd81e1fa4d"
},
{
"type": "WEB",
"url": "https://github.com/argoproj/argo-cd/commit/6e181d72b31522f886a2afa029d5b26d7912ec7b"
},
{
"type": "WEB",
"url": "https://github.com/argoproj/argo-cd/commit/cebb6538f7944c87ca2fecb5d17f8baacc431456"
},
{
"type": "WEB",
"url": "https://argo-cd.readthedocs.io/en/stable/security_considerations/#cve-2020-8827-insufficient-anti-automationanti-brute-force"
},
{
"type": "PACKAGE",
"url": "https://github.com/argoproj/argo-cd"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Bypassing Brute Force Protection via Application Crash and In-Memory Data Loss"
}
GHSA-X656-FQ6F-V9RF
Vulnerability from github – Published: 2024-04-24 12:30 – Updated: 2024-04-24 12:30Improper restriction of excessive authentication attempts on some authentication methods in Checkmk before 2.3.0b5 (beta), 2.2.0p26, 2.1.0p43, and in Checkmk 2.0.0 (EOL) facilitates password brute-forcing.
{
"affected": [],
"aliases": [
"CVE-2024-28825"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-24T12:15:06Z",
"severity": "MODERATE"
},
"details": "Improper restriction of excessive authentication attempts on some authentication methods in Checkmk before 2.3.0b5 (beta), 2.2.0p26, 2.1.0p43, and in Checkmk 2.0.0 (EOL) facilitates password brute-forcing.",
"id": "GHSA-x656-fq6f-v9rf",
"modified": "2024-04-24T12:30:42Z",
"published": "2024-04-24T12:30:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28825"
},
{
"type": "WEB",
"url": "https://checkmk.com/werk/15198"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
- Common protection mechanisms include:
- Disconnecting the user after a small number of failed attempts
- Implementing a timeout
- Locking out a targeted account
- Requiring a computational task on the user's part.
Mitigation MIT-4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482].
- Consider using libraries with authentication capabilities such as OpenSSL or the ESAPI Authenticator. [REF-45]
CAPEC-16: Dictionary-based Password Attack
An attacker tries each of the words in a dictionary as passwords to gain access to the system via some user's account. If the password chosen by the user was a word within the dictionary, this attack will be successful (in the absence of other mitigations). This is a specific instance of the password brute forcing attack pattern.
Dictionary Attacks differ from similar attacks such as Password Spraying (CAPEC-565) and Credential Stuffing (CAPEC-600), since they leverage unknown username/password combinations and don't care about inducing account lockouts.
CAPEC-49: Password Brute Forcing
An adversary tries every possible value for a password until they succeed. A brute force attack, if feasible computationally, will always be successful because it will essentially go through all possible passwords given the alphabet used (lower case letters, upper case letters, numbers, symbols, etc.) and the maximum length of the password.
CAPEC-560: Use of Known Domain Credentials
An adversary guesses or obtains (i.e. steals or purchases) legitimate credentials (e.g. userID/password) to achieve authentication and to perform authorized actions under the guise of an authenticated user or service.
CAPEC-565: Password Spraying
In a Password Spraying attack, an adversary tries a small list (e.g. 3-5) of common or expected passwords, often matching the target's complexity policy, against a known list of user accounts to gain valid credentials. The adversary tries a particular password for each user account, before moving onto the next password in the list. This approach assists the adversary in remaining undetected by avoiding rapid or frequent account lockouts. The adversary may then reattempt the process with additional passwords, once enough time has passed to prevent inducing a lockout.
CAPEC-600: Credential Stuffing
An adversary tries known username/password combinations against different systems, applications, or services to gain additional authenticated access. Credential Stuffing attacks rely upon the fact that many users leverage the same username/password combination for multiple systems, applications, and services.
CAPEC-652: Use of Known Kerberos Credentials
An adversary obtains (i.e. steals or purchases) legitimate Kerberos credentials (e.g. Kerberos service account userID/password or Kerberos Tickets) with the goal of achieving authenticated access to additional systems, applications, or services within the domain.
CAPEC-653: Use of Known Operating System Credentials
An adversary guesses or obtains (i.e. steals or purchases) legitimate operating system credentials (e.g. userID/password) to achieve authentication and to perform authorized actions on the system, under the guise of an authenticated user or service. This applies to any Operating System.