CWE-307
AllowedImproper Restriction of Excessive Authentication Attempts
Abstraction: Base · Status: Draft
The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.
905 vulnerabilities reference this CWE, most recent first.
GHSA-3WC6-Q483-GP6R
Vulnerability from github – Published: 2022-05-24 17:42 – Updated: 2022-05-24 17:42Improper restriction of excessive authentication attempts in LOGITEC LAN-WH450N/GR allows an attacker in the wireless range of the device to recover PIN and access the network.
{
"affected": [],
"aliases": [
"CVE-2021-20635"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-02-12T07:15:00Z",
"severity": "MODERATE"
},
"details": "Improper restriction of excessive authentication attempts in LOGITEC LAN-WH450N/GR allows an attacker in the wireless range of the device to recover PIN and access the network.",
"id": "GHSA-3wc6-q483-gp6r",
"modified": "2022-05-24T17:42:04Z",
"published": "2022-05-24T17:42:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20635"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN96783542/index.html"
},
{
"type": "WEB",
"url": "https://www.elecom.co.jp/news/security/20210126-01"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-3XVV-XJHM-3GVF
Vulnerability from github – Published: 2025-07-28 18:31 – Updated: 2025-07-28 18:31IBM Informix Dynamic Server 12.10 and 14.10 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials.
{
"affected": [],
"aliases": [
"CVE-2024-49342"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-28T16:15:24Z",
"severity": "HIGH"
},
"details": "IBM Informix Dynamic Server 12.10 and 14.10 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials.",
"id": "GHSA-3xvv-xjhm-3gvf",
"modified": "2025-07-28T18:31:25Z",
"published": "2025-07-28T18:31:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49342"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7240777"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4225-97PR-RR52
Vulnerability from github – Published: 2022-05-24 19:10 – Updated: 2024-05-14 17:21OpenStack Keystone 10.x through 16.x before 16.0.2, 17.x before 17.0.1, 18.x before 18.0.1, and 19.x before 19.0.1 allows information disclosure during account locking (related to PCI DSS features). By guessing the name of an account and failing to authenticate multiple times, any unauthenticated actor could both confirm the account exists and obtain that account's corresponding UUID, which might be leveraged for other unrelated attacks. All deployments enabling security_compliance.lockout_failure_attempts are affected.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "keystone"
},
"ranges": [
{
"events": [
{
"introduced": "10.0"
},
{
"fixed": "16.0.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "keystone"
},
"ranges": [
{
"events": [
{
"introduced": "17.0"
},
{
"fixed": "17.0.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "keystone"
},
"ranges": [
{
"events": [
{
"introduced": "18.0"
},
{
"fixed": "18.0.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "keystone"
},
"ranges": [
{
"events": [
{
"introduced": "19.0"
},
{
"fixed": "19.0.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-38155"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": true,
"github_reviewed_at": "2024-05-14T17:21:32Z",
"nvd_published_at": "2021-08-06T21:15:00Z",
"severity": "HIGH"
},
"details": "OpenStack Keystone 10.x through 16.x before 16.0.2, 17.x before 17.0.1, 18.x before 18.0.1, and 19.x before 19.0.1 allows information disclosure during account locking (related to PCI DSS features). By guessing the name of an account and failing to authenticate multiple times, any unauthenticated actor could both confirm the account exists and obtain that account\u0027s corresponding UUID, which might be leveraged for other unrelated attacks. All deployments enabling security_compliance.lockout_failure_attempts are affected.",
"id": "GHSA-4225-97pr-rr52",
"modified": "2024-05-14T17:21:32Z",
"published": "2022-05-24T19:10:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38155"
},
{
"type": "WEB",
"url": "https://github.com/openstack/keystone/commit/1b573ae7d1c20e0ebfbde79bbe7538a09589c75d"
},
{
"type": "WEB",
"url": "https://github.com/openstack/keystone/commit/8ab4eb27be4c13c9bab2b3ea700f00a190521bf8"
},
{
"type": "WEB",
"url": "https://github.com/openstack/keystone/commit/ac2631ae33445877094cdae796fbcdce8833a626"
},
{
"type": "PACKAGE",
"url": "https://github.com/openstack/keystone"
},
{
"type": "WEB",
"url": "https://launchpad.net/bugs/1688137"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00007.html"
},
{
"type": "WEB",
"url": "https://security.openstack.org/ossa/OSSA-2021-003.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2021/08/10/5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "OpenStack Keystone allows information disclosure during account locking"
}
GHSA-437X-5R3X-XHCF
Vulnerability from github – Published: 2025-06-12 15:31 – Updated: 2025-06-12 15:31The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it susceptible to brute-force attacks.
{
"affected": [],
"aliases": [
"CVE-2025-49186"
],
"database_specific": {
"cwe_ids": [
"CWE-307",
"CWE-79"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-12T14:15:31Z",
"severity": "MODERATE"
},
"details": "The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it susceptible to brute-force attacks.",
"id": "GHSA-437x-5r3x-xhcf",
"modified": "2025-06-12T15:31:22Z",
"published": "2025-06-12T15:31:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49186"
},
{
"type": "WEB",
"url": "https://cdn.sick.com/media/docs/1/11/411/Special_information_CYBERSECURITY_BY_SICK_en_IM0084411.PDF"
},
{
"type": "WEB",
"url": "https://sick.com/psirt"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices"
},
{
"type": "WEB",
"url": "https://www.first.org/cvss/calculator/3.1"
},
{
"type": "WEB",
"url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0007.json"
},
{
"type": "WEB",
"url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0007.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-43QQ-QW4X-28F8
Vulnerability from github – Published: 2022-10-18 21:14 – Updated: 2026-01-31 03:41TL;DR
This vulnerability only affects you if you are using the code or password-reset auth method with the auth.methods option. It can only be successfully exploited under server configuration conditions outside of the attacker's control.
Introduction
User enumeration is a type of vulnerability that allows attackers to confirm which users are registered in a Kirby installation. This information can be abused for social engineering attacks against users of the site or to find out the organizational structure of the company.
User enumeration attacks are performed by entering an existing and a non-existing user into the email address field of the login form. If the system returns a different response or behaves differently depending on whether the user exists, the attacker can enter unknown email addresses and use the different behavior as a clue for the (non-)existing user.
Impact
Under normal circumstances, entering an invalid email address results in a "fake" login code form that looks exactly like the one of an existing user (unless debugging is enabled). However, the code that handles the creation of a code challenge (for code-based login or password reset) didn't catch errors that occurred while the challenge request was processed:
- If the challenge itself runs into an error (e.g. if the email could not be sent), attackers could tell existing users (where the challenge code is called) from non-existing users (where the challenge code is not called and therefore does not output an error).
- If you are using the
user.login:failedhook and any exception is thrown within the hook, attackers could see that the user does not exist.
As long as no error occurs during challenge creation and during the processing of the user.login:failed hook, your Kirby sites are not affected by this vulnerability.
Patches
The problems have been patched in Kirby 3.5.8.2, Kirby 3.6.6.2, Kirby 3.7.5.1 and Kirby 3.8.1. Please update to one of these or a later version to fix the vulnerability.
All of the mentioned releases contain two patches for this vulnerability:
- All errors that occur during the creation of an auth challenge (code-based login or password reset) are swallowed by the backend and only displayed to the user if debugging is enabled.
- We added a new
auth.debugoption that can be enabled separately from thedebugoption. If disabled, auth errors are only printed to the PHP error log. This ensures that security-critical errors are only displayed if they are really necessary for debugging.
Workarounds
We recommend to update to one of the patch releases. If you cannot update immediately, you can work around the issue by setting the auth.methods option to password, which disables the code-based login and password reset forms.
However please note that your site will still be vulnerable against another user enumeration issue that was also fixed in the same patch releases.
Credits
Thanks to Florian Merz (@florianmrz) of hatchery.io for responsibly reporting the identified issue.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "getkirby/cms"
},
"ranges": [
{
"events": [
{
"introduced": "3.5.0"
},
{
"fixed": "3.5.8.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "getkirby/cms"
},
"ranges": [
{
"events": [
{
"introduced": "3.6.0"
},
{
"fixed": "3.6.6.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "getkirby/cms"
},
"ranges": [
{
"events": [
{
"introduced": "3.7.0"
},
{
"fixed": "3.7.5.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "getkirby/cms"
},
"ranges": [
{
"events": [
{
"introduced": "3.8.0"
},
{
"fixed": "3.8.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"3.8.0"
]
}
],
"aliases": [
"CVE-2022-39314"
],
"database_specific": {
"cwe_ids": [
"CWE-204",
"CWE-307"
],
"github_reviewed": true,
"github_reviewed_at": "2022-10-18T21:14:04Z",
"nvd_published_at": "2022-10-24T14:15:00Z",
"severity": "MODERATE"
},
"details": "### TL;DR\n\nThis vulnerability only affects you if you are using the `code` or `password-reset` auth method with the `auth.methods` option. It can only be successfully exploited under server configuration conditions outside of the attacker\u0027s control.\n\n----\n\n### Introduction\n\nUser enumeration is a type of vulnerability that allows attackers to confirm which users are registered in a Kirby installation. This information can be abused for social engineering attacks against users of the site or to find out the organizational structure of the company.\n\nUser enumeration attacks are performed by entering an existing and a non-existing user into the email address field of the login form. If the system returns a different response or behaves differently depending on whether the user exists, the attacker can enter unknown email addresses and use the different behavior as a clue for the (non-)existing user.\n\n### Impact\n\nUnder normal circumstances, entering an invalid email address results in a \"fake\" login code form that looks exactly like the one of an existing user (unless debugging is enabled). However, the code that handles the creation of a code challenge (for code-based login or password reset) didn\u0027t catch errors that occurred while the challenge request was processed:\n\n- If the challenge itself runs into an error (e.g. if the email could not be sent), attackers could tell existing users (where the challenge code is called) from non-existing users (where the challenge code is not called and therefore does not output an error).\n- If you are using the `user.login:failed` hook and any exception is thrown within the hook, attackers could see that the user does not exist.\n\nAs long as no error occurs during challenge creation and during the processing of the `user.login:failed` hook, your Kirby sites are *not* affected by this vulnerability.\n\n### Patches\n\nThe problems have been patched in [Kirby 3.5.8.2](https://github.com/getkirby/kirby/releases/tag/3.5.8.2), [Kirby 3.6.6.2](https://github.com/getkirby/kirby/releases/tag/3.6.6.2), [Kirby 3.7.5.1](https://github.com/getkirby/kirby/releases/tag/3.7.5.1) and [Kirby 3.8.1](https://github.com/getkirby/kirby/releases/tag/3.8.1). Please update to one of these or a [later version](https://github.com/getkirby/kirby/releases) to fix the vulnerability.\n\nAll of the mentioned releases contain two patches for this vulnerability:\n\n- All errors that occur during the creation of an auth challenge (code-based login or password reset) are swallowed by the backend and only displayed to the user if debugging is enabled.\n- We added a new `auth.debug` option that can be enabled separately from the `debug` option. If disabled, auth errors are only printed to the PHP error log. This ensures that security-critical errors are only displayed if they are really necessary for debugging.\n\n### Workarounds\n\nWe recommend to update to one of the patch releases. If you cannot update immediately, you can work around the issue by setting the `auth.methods` option to `password`, which disables the code-based login and password reset forms.\n\nHowever please note that your site will still be vulnerable against [another user enumeration issue](https://github.com/getkirby/kirby/security/advisories/GHSA-c27j-76xg-6x4f) that was also fixed in the same patch releases.\n\n### Credits\n\nThanks to [Florian Merz](mailto:florian@hatchery.io) (@florianmrz) of [hatchery.io](https://www.hatchery.io/) for responsibly reporting the identified issue.",
"id": "GHSA-43qq-qw4x-28f8",
"modified": "2026-01-31T03:41:13Z",
"published": "2022-10-18T21:14:04Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/getkirby/kirby/security/advisories/GHSA-43qq-qw4x-28f8"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39314"
},
{
"type": "PACKAGE",
"url": "https://github.com/getkirby/kirby"
},
{
"type": "WEB",
"url": "https://github.com/getkirby/kirby/releases/tag/3.5.8.2"
},
{
"type": "WEB",
"url": "https://github.com/getkirby/kirby/releases/tag/3.6.6.2"
},
{
"type": "WEB",
"url": "https://github.com/getkirby/kirby/releases/tag/3.7.5.1"
},
{
"type": "WEB",
"url": "https://github.com/getkirby/kirby/releases/tag/3.8.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Kirby CMS vulnerable to user enumeration in the code-based login and password reset forms"
}
GHSA-45JP-55W8-4P9X
Vulnerability from github – Published: 2022-03-23 00:00 – Updated: 2023-08-08 15:31Confd log files contain local users', including root’s, SHA512crypt password hashes with insecure access permissions. This allows a local attacker to attempt off-line brute-force attacks against these password hashes in Sophos UTM before version 9.710.
{
"affected": [],
"aliases": [
"CVE-2022-0652"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-03-22T00:15:00Z",
"severity": "HIGH"
},
"details": "Confd log files contain local users\u0027, including root\u00e2\u20ac\u2122s, SHA512crypt password hashes with insecure access permissions. This allows a local attacker to attempt off-line brute-force attacks against these password hashes in Sophos UTM before version 9.710.",
"id": "GHSA-45jp-55w8-4p9x",
"modified": "2023-08-08T15:31:52Z",
"published": "2022-03-23T00:00:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0652"
},
{
"type": "WEB",
"url": "https://www.sophos.com/en-us/security-advisories/sophos-sa-20220321-utm-9710"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-45RC-FW3M-7FQ5
Vulnerability from github – Published: 2022-05-24 19:13 – Updated: 2022-05-24 19:13BAB TECHNOLOGIE GmbH eibPort V3 prior version 3.9.1 allow unauthenticated attackers access to /tmp path which contains some sensitive data (e.g. device serial number). Having those info, a possible loginId can be self-calculated in a brute force attack against BMX interface. This is usable and part of an attack chain to gain SSH root access.
{
"affected": [],
"aliases": [
"CVE-2021-28911"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-09T18:15:00Z",
"severity": "CRITICAL"
},
"details": "BAB TECHNOLOGIE GmbH eibPort V3 prior version 3.9.1 allow unauthenticated attackers access to /tmp path which contains some sensitive data (e.g. device serial number). Having those info, a possible loginId can be self-calculated in a brute force attack against BMX interface. This is usable and part of an attack chain to gain SSH root access.",
"id": "GHSA-45rc-fw3m-7fq5",
"modified": "2022-05-24T19:13:58Z",
"published": "2022-05-24T19:13:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28911"
},
{
"type": "WEB",
"url": "https://psytester.github.io/CVE-2021-28911"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-46MH-FQPF-6685
Vulnerability from github – Published: 2024-12-10 21:30 – Updated: 2024-12-11 15:31An issue in the BYD Dilink Headunit System v3.0 to v4.0 allows attackers to bypass authentication via a bruteforce attack.
{
"affected": [],
"aliases": [
"CVE-2024-46442"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-10T19:15:27Z",
"severity": "CRITICAL"
},
"details": "An issue in the BYD Dilink Headunit System v3.0 to v4.0 allows attackers to bypass authentication via a bruteforce attack.",
"id": "GHSA-46mh-fqpf-6685",
"modified": "2024-12-11T15:31:16Z",
"published": "2024-12-10T21:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46442"
},
{
"type": "WEB",
"url": "https://github.com/zgsnj123/BYD_headunit_vuls/tree/main"
},
{
"type": "WEB",
"url": "https://www.bydauto.com.cn"
},
{
"type": "WEB",
"url": "http://byd.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-47C4-H5XR-WVG6
Vulnerability from github – Published: 2025-07-03 12:34 – Updated: 2025-07-03 12:34The maxView Storage Manager does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it susceptible to brute-force attacks.
{
"affected": [],
"aliases": [
"CVE-2025-1710"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-03T12:15:22Z",
"severity": "HIGH"
},
"details": "The maxView Storage Manager does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it susceptible to brute-force attacks.",
"id": "GHSA-47c4-h5xr-wvg6",
"modified": "2025-07-03T12:34:57Z",
"published": "2025-07-03T12:34:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1710"
},
{
"type": "WEB",
"url": "https://sick.com/psirt"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices"
},
{
"type": "WEB",
"url": "https://www.endress.com"
},
{
"type": "WEB",
"url": "https://www.first.org/cvss/calculator/3.1"
},
{
"type": "WEB",
"url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0008.json"
},
{
"type": "WEB",
"url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0008.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-47QC-JVXC-FJMJ
Vulnerability from github – Published: 2023-06-28 21:30 – Updated: 2024-04-04 05:16D-Link DSL-224 firmware version 3.0.10 CWE-307: Improper Restriction of Excessive Authentication Attempts
{
"affected": [],
"aliases": [
"CVE-2023-32224"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-28T21:15:10Z",
"severity": "CRITICAL"
},
"details": "D-Link DSL-224 firmware version 3.0.10 CWE-307: Improper Restriction of Excessive Authentication Attempts",
"id": "GHSA-47qc-jvxc-fjmj",
"modified": "2024-04-04T05:16:26Z",
"published": "2023-06-28T21:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32224"
},
{
"type": "WEB",
"url": "https://www.gov.il/en/Departments/faq/cve_advisories"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
- Common protection mechanisms include:
- Disconnecting the user after a small number of failed attempts
- Implementing a timeout
- Locking out a targeted account
- Requiring a computational task on the user's part.
Mitigation MIT-4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482].
- Consider using libraries with authentication capabilities such as OpenSSL or the ESAPI Authenticator. [REF-45]
CAPEC-16: Dictionary-based Password Attack
An attacker tries each of the words in a dictionary as passwords to gain access to the system via some user's account. If the password chosen by the user was a word within the dictionary, this attack will be successful (in the absence of other mitigations). This is a specific instance of the password brute forcing attack pattern.
Dictionary Attacks differ from similar attacks such as Password Spraying (CAPEC-565) and Credential Stuffing (CAPEC-600), since they leverage unknown username/password combinations and don't care about inducing account lockouts.
CAPEC-49: Password Brute Forcing
An adversary tries every possible value for a password until they succeed. A brute force attack, if feasible computationally, will always be successful because it will essentially go through all possible passwords given the alphabet used (lower case letters, upper case letters, numbers, symbols, etc.) and the maximum length of the password.
CAPEC-560: Use of Known Domain Credentials
An adversary guesses or obtains (i.e. steals or purchases) legitimate credentials (e.g. userID/password) to achieve authentication and to perform authorized actions under the guise of an authenticated user or service.
CAPEC-565: Password Spraying
In a Password Spraying attack, an adversary tries a small list (e.g. 3-5) of common or expected passwords, often matching the target's complexity policy, against a known list of user accounts to gain valid credentials. The adversary tries a particular password for each user account, before moving onto the next password in the list. This approach assists the adversary in remaining undetected by avoiding rapid or frequent account lockouts. The adversary may then reattempt the process with additional passwords, once enough time has passed to prevent inducing a lockout.
CAPEC-600: Credential Stuffing
An adversary tries known username/password combinations against different systems, applications, or services to gain additional authenticated access. Credential Stuffing attacks rely upon the fact that many users leverage the same username/password combination for multiple systems, applications, and services.
CAPEC-652: Use of Known Kerberos Credentials
An adversary obtains (i.e. steals or purchases) legitimate Kerberos credentials (e.g. Kerberos service account userID/password or Kerberos Tickets) with the goal of achieving authenticated access to additional systems, applications, or services within the domain.
CAPEC-653: Use of Known Operating System Credentials
An adversary guesses or obtains (i.e. steals or purchases) legitimate operating system credentials (e.g. userID/password) to achieve authentication and to perform authorized actions on the system, under the guise of an authenticated user or service. This applies to any Operating System.