Common Weakness Enumeration

CWE-307

Allowed

Improper Restriction of Excessive Authentication Attempts

Abstraction: Base · Status: Draft

The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.

903 vulnerabilities reference this CWE, most recent first.

GHSA-HC8R-P4JW-P6FR

Vulnerability from github – Published: 2026-06-22 15:30 – Updated: 2026-06-22 15:30
VLAI
Details

AIL did not restrict repeated failed attempts to verify a two-factor authentication (OTP) code. An attacker who had reached the 2FA verification step, such as after successfully completing the password-authentication stage, could submit an unlimited number of OTP guesses. This could enable brute-force guessing of a valid code and bypass the intended second authentication factor, resulting in unauthorized account access.

The patch introduces per-user failed-OTP tracking, blocks verification after 30 failed attempts for one hour, clears the counter after a successful OTP verification, and provides administrator recovery actions to purge affected lockouts.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-56450"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-307"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-22T14:17:50Z",
    "severity": "MODERATE"
  },
  "details": "AIL did not restrict repeated failed attempts to verify a two-factor authentication (OTP) code. An attacker who had reached the 2FA verification step, such as after successfully completing the password-authentication stage, could submit an unlimited number of OTP guesses. This could enable brute-force guessing of a valid code and bypass the intended second authentication factor, resulting in unauthorized account access.\n\n\nThe patch introduces per-user failed-OTP tracking, blocks verification after 30 failed attempts for one hour, clears the counter after a successful OTP verification, and provides administrator recovery actions to purge affected lockouts.",
  "id": "GHSA-hc8r-p4jw-p6fr",
  "modified": "2026-06-22T15:30:45Z",
  "published": "2026-06-22T15:30:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-56450"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ail-project/ail-framework/commit/d3a394fe68fd5aeee86f3a3c91d4a0350f91e974"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-HCHV-VV89-9PXP

Vulnerability from github – Published: 2022-10-17 19:00 – Updated: 2022-10-19 19:00
VLAI
Details

An issue has been discovered in GitLab CE/EE affecting all versions before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2. It may be possible for an attacker to guess a user's password by brute force by sending crafted requests to a specific endpoint, even if the victim user has 2FA enabled on their account.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-3031"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-307"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-10-17T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "An issue has been discovered in GitLab CE/EE affecting all versions before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2. It may be possible for an attacker to guess a user\u0027s password by brute force by sending crafted requests to a specific endpoint, even if the victim user has 2FA enabled on their account.",
  "id": "GHSA-hchv-vv89-9pxp",
  "modified": "2022-10-19T19:00:22Z",
  "published": "2022-10-17T19:00:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3031"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3031.json"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/340395"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HF62-5VXH-JPWJ

Vulnerability from github – Published: 2022-05-24 17:01 – Updated: 2023-08-01 23:40
VLAI
Summary
Pimcore 2FA Vulnerable to Brute Forcing
Details

Pimcore before 6.2.2 lacks brute force protection for the 2FA token.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "pimcore/pimcore"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.2.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-18985"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-307"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-08-01T23:40:34Z",
    "nvd_published_at": "2019-11-15T05:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Pimcore before 6.2.2 lacks brute force protection for the 2FA token.",
  "id": "GHSA-hf62-5vxh-jpwj",
  "modified": "2023-08-01T23:40:34Z",
  "published": "2022-05-24T17:01:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-18985"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pimcore/pimcore/commit/9f2d075243a8392c114d9a8028858b9faf041e2d"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pimcore/pimcore/compare/v6.2.1...v6.2.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Pimcore 2FA Vulnerable to Brute Forcing"
}

GHSA-HFHH-3VVV-4GQF

Vulnerability from github – Published: 2022-05-24 17:35 – Updated: 2022-05-24 17:35
VLAI
Details

An issue was discovered in Bitrix24 Bitrix Framework (1c site management) 20.0. An "User enumeration and Improper Restriction of Excessive Authentication Attempts" vulnerability exists in the admin login form, allowing a remote user to enumerate users in the administrator group. This also allows brute-force attacks on the passwords of users not in the administrator group.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-28206"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-307"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-12-02T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in Bitrix24 Bitrix Framework (1c site management) 20.0. An \"User enumeration and Improper Restriction of Excessive Authentication Attempts\" vulnerability exists in the admin login form, allowing a remote user to enumerate users in the administrator group. This also allows brute-force attacks on the passwords of users not in the administrator group.",
  "id": "GHSA-hfhh-3vvv-4gqf",
  "modified": "2022-05-24T17:35:12Z",
  "published": "2022-05-24T17:35:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28206"
    },
    {
      "type": "WEB",
      "url": "https://justrealstag.medium.com/user-enumeration-improper-restriction-of-excessive-authentication-attempts-in-bitrix-98933a97e0e6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-HFPP-2VHW-QQ43

Vulnerability from github – Published: 2024-05-15 21:14 – Updated: 2024-05-15 21:14
VLAI
Summary
eZ Platform Admin UI Password reset vulnerability
Details

his Security Update fixes a severe vulnerability in the eZ Platform Admin UI, and we recommend that you install it as soon as possible. It affects eZ Platform 2.x.

The functionality for resetting a forgotten password is vulnerable to brute force attack. Depending on configuration and other circumstances an attacker may exploit this to gain control over user accounts. The update ensures such an attack is exceedingly unlikely to succeed.

You may want to consider a configuration change to further strengthen your security. By default a password reset request is valid for 1 hour. Reducing this time will make attacks even more difficult, but ensure there is enough time left to account for email delivery delays, and user delays. See documentation at https://doc.ezplatform.com/en/latest/guide/user_management/#changing-and-recovering-passwords

To install, use Composer to update to one of the "Resolving versions" mentioned above. If you use eZ Platform 2.5, update ezsystems/ezplatform-user to v1.0.1. If you use eZ Platform 2.4, update ezsystems/ezplatform-admin-ui to v1.4.6, and ezsystems/ezplatform-admin-ui-modules to v1.4.4, and ezsystems/repository-forms to v2.4.5)

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "ezsystems/ezplatform-user"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "fixed": "1.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-307"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-15T21:14:48Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "his Security Update fixes a severe vulnerability in the eZ Platform Admin UI, and we recommend that you install it as soon as possible. It affects eZ Platform 2.x.\n \nThe functionality for resetting a forgotten password is vulnerable to brute force attack. Depending on configuration and other circumstances an attacker may exploit this to gain control over user accounts. The update ensures such an attack is exceedingly unlikely to succeed.\n \nYou may want to consider a configuration change to further strengthen your security. By default a password reset request is valid for 1 hour. Reducing this time will make attacks even more difficult, but ensure there is enough time left to account for email delivery delays, and user delays. See documentation at https://doc.ezplatform.com/en/latest/guide/user_management/#changing-and-recovering-passwords\n\nTo install, use Composer to update to one of the \"Resolving versions\" mentioned above. If you use eZ Platform 2.5, update ezsystems/ezplatform-user to v1.0.1. If you use eZ Platform 2.4, update ezsystems/ezplatform-admin-ui to v1.4.6, and ezsystems/ezplatform-admin-ui-modules to v1.4.4, and ezsystems/repository-forms to v2.4.5)",
  "id": "GHSA-hfpp-2vhw-qq43",
  "modified": "2024-05-15T21:14:48Z",
  "published": "2024-05-15T21:14:48Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/ezsystems/ezplatform-user/2019-04-03-1.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ezsystems/ezplatform-user"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20201025103933/https://share.ez.no/community-project/security-advisories/ezsa-2019-002-password-reset-vulnerability"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "eZ Platform Admin UI Password reset vulnerability"
}

GHSA-HH96-8FF8-HWHP

Vulnerability from github – Published: 2024-02-02 03:30 – Updated: 2024-02-02 03:30
VLAI
Details

IBM PowerSC 1.3, 2.0, and 2.1 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. IBM X-Force ID: 275107.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-50326"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-307"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-02T01:15:07Z",
    "severity": "HIGH"
  },
  "details": "IBM PowerSC 1.3, 2.0, and 2.1 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials.  IBM X-Force ID:  275107.\n\n",
  "id": "GHSA-hh96-8ff8-hwhp",
  "modified": "2024-02-02T03:30:31Z",
  "published": "2024-02-02T03:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50326"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/275107"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7113759"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HHWC-FXXW-WFMX

Vulnerability from github – Published: 2022-05-24 16:53 – Updated: 2024-04-04 01:37
VLAI
Details

The Telenav Scout GPS Link app 1.x for iOS, as used with Toyota and Lexus vehicles, has an incorrect protection mechanism against brute-force attacks on the authentication process, which makes it easier for attackers to obtain multimedia-screen access via port 7050 on the cellular network, as demonstrated by a DrivingRestriction method call to uma/jsonrpc/mobile.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-14951"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-307"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-08-12T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "The Telenav Scout GPS Link app 1.x for iOS, as used with Toyota and Lexus vehicles, has an incorrect protection mechanism against brute-force attacks on the authentication process, which makes it easier for attackers to obtain multimedia-screen access via port 7050 on the cellular network, as demonstrated by a DrivingRestriction method call to uma/jsonrpc/mobile.",
  "id": "GHSA-hhwc-fxxw-wfmx",
  "modified": "2024-04-04T01:37:09Z",
  "published": "2022-05-24T16:53:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14951"
    },
    {
      "type": "WEB",
      "url": "https://sites.google.com/site/iosappnss/more-vulnerable-apps-and-libraries"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HJ39-Q7CJ-VFHF

Vulnerability from github – Published: 2022-05-13 01:50 – Updated: 2022-05-13 01:50
VLAI
Details

A vulnerability in the Gleez CMS 1.2.0 login page could allow an unauthenticated, remote attacker to perform multiple user enumerations, which can further help an attacker to perform login attempts in excess of the configured login attempt limit. The vulnerability is due to insufficient server-side access control and login attempt limit enforcement. An attacker could exploit this vulnerability by sending modified login attempts to the Portal login page. An exploit could allow the attacker to identify existing users and perform brute-force password attacks on the Portal, as demonstrated by navigating to the user/4 URI.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-16703"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-307"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-09-07T17:29:00Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability in the Gleez CMS 1.2.0 login page could allow an unauthenticated, remote attacker to perform multiple user enumerations, which can further help an attacker to perform login attempts in excess of the configured login attempt limit. The vulnerability is due to insufficient server-side access control and login attempt limit enforcement. An attacker could exploit this vulnerability by sending modified login attempts to the Portal login page. An exploit could allow the attacker to identify existing users and perform brute-force password attacks on the Portal, as demonstrated by navigating to the user/4 URI.",
  "id": "GHSA-hj39-q7cj-vfhf",
  "modified": "2022-05-13T01:50:25Z",
  "published": "2022-05-13T01:50:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16703"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gleez/cms/issues/802"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HJJ4-HFJM-FMRJ

Vulnerability from github – Published: 2026-05-29 21:21 – Updated: 2026-06-26 21:32
VLAI
Summary
Authelia Missing Username Canonicalization in Basic Auth (LDAP)
Details

Impact

CVSSv4 Baseline Score: Moderate 6.3

CVSSv4 Weighted Score: Low 2.9

The full CVSSv4 Vector for this vulnerability is:

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:L/IR:L/AR:L/MAV:N/MAC:H/MAT:N/MPR:N/MUI:N/MVC:L/MVI:N/MVA:N/MSC:N/MSI:N/MSA:N/S:N/AU:Y/R:U/V:D/RE:L/U:Green

CVSSv3.1 Baseline Score: Low 3.7

CVSSv3.1 Overall Score: Medium 4.0

The full CVSSv3.1 Vector equivalent for this vulnerability is:

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:X/CR:H/IR:L/AR:L/MAV:N/MAC:H/MPR:N/MUI:N/MS:U/MC:L/MI:N/MA:N

The weighted severity rating is a result of no indication this is currently being exploited being available at the time of the publish date, in addition to the fact it's unlikely that it is being exploited currently.

Due to lack of canonicalization of the basic auth username, the effectiveness of the brute force mechanism when using basic auth is partially degraded.

Most passwords of reasonable length are unlikely to have a meaningful effect due to the fact there is no clear feedback to an attacker that is attempting to exploit this, thus their brute force attempts are significantly more likely to miss a valid password than they are identify a valid one.

Details

When a user authenticates via Basic Auth (i.e via the Authorization header with the Basic scheme) on the authz verification endpoint, Authelia takes the username directly from the Authorization header and passes it as is to the regulation system for ban checking and attempt recording.

LDAP treats usernames case insensitively : john, John, and JOHN all bind as the same user. But the regulation SQL queries treat the lookup of these values in certain scenarios as case sensitive. This allows each variation of a usernames case to have its own ban bucket.

Notable conditions or unaffected configurations:

  1. The first factor login endpoint (/api/firstfactor) is not affected
  2. The LDAP authentication backend must be in use.
  3. If the underlying database is case insensitive (as it should be with the collation we use for MySQL) it is not affected
  4. Administrators using the recently added IP regulation mode are not affected
  5. Administrators using a third-party tool such as CrowdSec or fail2ban are not affected
  6. Administrators that have disabled basic auth are not affected

Patches

Upgrade to 4.39.20.

Commit: https://github.com/authelia/authelia/commit/b8985b57b70acdff8f204ed426ff619e763461ad

Workarounds

Explicitly disable the basic auth mechanism.

Caddy, HAProxy, and Traefik

server:
  endpoints:
    authz:
      forward-auth:
        implementation: 'ForwardAuth'
        authn_strategies:
          - name: 'CookieSession'

nginx

server:
  endpoints:
    authz:
      auth-request:
        implementation: 'AuthRequest'
        authn_strategies:
          - name: 'CookieSession'

Envoy

server:
  endpoints:
    authz:
      ext-authz:
        implementation: 'ExtAuthz'
        authn_strategies:
          - name: 'CookieSession'

References

N/A

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.39.19"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/authelia/authelia/v4"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.38.0"
            },
            {
              "fixed": "4.39.20"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-47203"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-178",
      "CWE-307"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-29T21:21:12Z",
    "nvd_published_at": "2026-06-19T21:16:57Z",
    "severity": "LOW"
  },
  "details": "### Impact\n\n**CVSSv4 Baseline Score:** Moderate 6.3\n\n**CVSSv4 Weighted Score:** Low 2.9\n\nThe full CVSSv4 Vector for this vulnerability is:\n\n\u003e CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:L/IR:L/AR:L/MAV:N/MAC:H/MAT:N/MPR:N/MUI:N/MVC:L/MVI:N/MVA:N/MSC:N/MSI:N/MSA:N/S:N/AU:Y/R:U/V:D/RE:L/U:Green\n\n**CVSSv3.1 Baseline Score:** Low 3.7\n\n**CVSSv3.1 Overall Score:** Medium 4.0\n\nThe full CVSSv3.1 Vector equivalent for this vulnerability is:\n\n\u003e CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:X/CR:H/IR:L/AR:L/MAV:N/MAC:H/MPR:N/MUI:N/MS:U/MC:L/MI:N/MA:N\n\nThe weighted severity rating is a result of no indication this is currently being exploited being available at the time of the publish date, in addition to the fact it\u0027s unlikely that it is being exploited currently.\n\nDue to lack of canonicalization of the basic auth username, the effectiveness of the brute force mechanism when using basic auth is partially degraded.\n\nMost passwords of reasonable length are unlikely to have a meaningful effect due to the fact there is no clear feedback to an attacker that is attempting to exploit this, thus their brute force attempts are significantly more likely to miss a valid password than they are identify a valid one.\n\n### Details\n\nWhen a user authenticates via Basic Auth (i.e via the `Authorization` header with the `Basic` scheme) on the authz verification endpoint, Authelia takes the username directly from the `Authorization` header and passes it as is to the regulation system for ban checking and attempt recording.\n\nLDAP treats usernames case insensitively : `john`, `John`, and `JOHN` all bind as the same user. But the regulation SQL queries treat the lookup of these values in certain scenarios as case sensitive. This allows each variation of a usernames case to have its own ban bucket.\n\nNotable conditions or unaffected configurations:\n\n1.  The first factor login endpoint (`/api/firstfactor`) is **not** affected\n2. The LDAP authentication backend must be in use.\n3. If the underlying database is case insensitive (as it should be with the collation we use for MySQL) it is **not** affected\n4. Administrators using the recently added IP regulation mode are **not** affected\n5. Administrators using a third-party tool such as CrowdSec or fail2ban are **not** affected\n6. Administrators that have disabled basic auth are **not** affected\n\n### Patches\n\nUpgrade to 4.39.20.\n\nCommit: https://github.com/authelia/authelia/commit/b8985b57b70acdff8f204ed426ff619e763461ad\n\n### Workarounds\n\nExplicitly disable the basic auth mechanism.\n\n#### Caddy, HAProxy, and Traefik\n\n```yaml\nserver:\n  endpoints:\n    authz:\n      forward-auth:\n        implementation: \u0027ForwardAuth\u0027\n        authn_strategies:\n          - name: \u0027CookieSession\u0027\n```\n\n#### nginx\n\n```yaml\nserver:\n  endpoints:\n    authz:\n      auth-request:\n        implementation: \u0027AuthRequest\u0027\n        authn_strategies:\n          - name: \u0027CookieSession\u0027\n```\n\n#### Envoy\n\n```yaml\nserver:\n  endpoints:\n    authz:\n      ext-authz:\n        implementation: \u0027ExtAuthz\u0027\n        authn_strategies:\n          - name: \u0027CookieSession\u0027\n```\n\n### References\n\nN/A",
  "id": "GHSA-hjj4-hfjm-fmrj",
  "modified": "2026-06-26T21:32:40Z",
  "published": "2026-05-29T21:21:12Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/authelia/authelia/security/advisories/GHSA-hjj4-hfjm-fmrj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47203"
    },
    {
      "type": "WEB",
      "url": "https://github.com/authelia/authelia/commit/b8985b57b70acdff8f204ed426ff619e763461ad"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/authelia/authelia"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:L/IR:L/AR:L/MAV:N/MAC:H/MAT:N/MPR:N/MUI:N/MVC:L/MVI:N/MVA:N/MSC:N/MSI:N/MSA:N/S:N/AU:Y/R:U/V:D/RE:L/U:Green",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Authelia Missing Username Canonicalization in Basic Auth (LDAP)"
}

GHSA-HJQ5-V65P-2P24

Vulnerability from github – Published: 2021-11-20 00:00 – Updated: 2024-02-27 18:59
VLAI
Details

A brute-force protection bypass in CAPTCHA protection in ASUS ROG Rapture GT-AX11000, RT-AX3000, RT-AX55, RT-AX56U, RT-AX56U_V2, RT-AX58U, RT-AX82U, RT-AX82U GUNDAM EDITION, RT-AX86 Series(RT-AX86U/RT-AX86S), RT-AX86U ZAKU II EDITION, RT-AX88U, RT-AX92U, TUF Gaming AX3000, TUF Gaming AX5400 (TUF-AX5400), ASUS ZenWiFi XD6, ASUS ZenWiFi AX (XT8) before 3.0.0.4.386.45898, and RT-AX68U before 3.0.0.4.386.45911, allows a remote attacker to attempt any number of login attempts via sending a specific HTTP request.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-41435"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-307"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-11-19T12:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "A brute-force protection bypass in CAPTCHA protection in ASUS ROG Rapture GT-AX11000, RT-AX3000, RT-AX55, RT-AX56U, RT-AX56U_V2, RT-AX58U, RT-AX82U, RT-AX82U GUNDAM EDITION, RT-AX86 Series(RT-AX86U/RT-AX86S), RT-AX86U ZAKU II EDITION, RT-AX88U, RT-AX92U, TUF Gaming AX3000, TUF Gaming AX5400 (TUF-AX5400), ASUS ZenWiFi XD6, ASUS ZenWiFi AX (XT8) before 3.0.0.4.386.45898, and RT-AX68U before 3.0.0.4.386.45911, allows a remote attacker to attempt any number of login attempts via sending a specific HTTP request.",
  "id": "GHSA-hjq5-v65p-2p24",
  "modified": "2024-02-27T18:59:09Z",
  "published": "2021-11-20T00:00:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41435"
    },
    {
      "type": "WEB",
      "url": "https://rog.asus.com/networking/rog-rapture-gt-ax11000-model/helpdesk_bios"
    },
    {
      "type": "WEB",
      "url": "https://www.asus.com/Networking-IoT-Servers/Whole-Home-Mesh-WiFi-System/ZenWiFi-WiFi-Systems/ASUS-ZenWiFi-AX-XT8-/HelpDesk_BIOS"
    },
    {
      "type": "WEB",
      "url": "https://www.asus.com/Networking-IoT-Servers/Whole-Home-Mesh-WiFi-System/ZenWiFi-WiFi-Systems/ASUS-ZenWiFi-XD6/HelpDesk_BIOS"
    },
    {
      "type": "WEB",
      "url": "https://www.asus.com/Networking-IoT-Servers/WiFi-Routers/ASUS-WiFi-Routers/RT-AX3000/HelpDesk_BIOS"
    },
    {
      "type": "WEB",
      "url": "https://www.asus.com/Networking-IoT-Servers/WiFi-Routers/ASUS-WiFi-Routers/RT-AX56U/HelpDesk_BIOS"
    },
    {
      "type": "WEB",
      "url": "https://www.asus.com/Networking-IoT-Servers/WiFi-Routers/ASUS-WiFi-Routers/RT-AX68U/HelpDesk_BIOS"
    },
    {
      "type": "WEB",
      "url": "https://www.asus.com/Networking-IoT-Servers/WiFi-Routers/All-series/RT-AX55/HelpDesk_BIOS"
    },
    {
      "type": "WEB",
      "url": "http://asus.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design
  • Common protection mechanisms include:
  • Disconnecting the user after a small number of failed attempts
  • Implementing a timeout
  • Locking out a targeted account
  • Requiring a computational task on the user's part.
Mitigation MIT-4
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482].
  • Consider using libraries with authentication capabilities such as OpenSSL or the ESAPI Authenticator. [REF-45]
CAPEC-16: Dictionary-based Password Attack

An attacker tries each of the words in a dictionary as passwords to gain access to the system via some user's account. If the password chosen by the user was a word within the dictionary, this attack will be successful (in the absence of other mitigations). This is a specific instance of the password brute forcing attack pattern.

Dictionary Attacks differ from similar attacks such as Password Spraying (CAPEC-565) and Credential Stuffing (CAPEC-600), since they leverage unknown username/password combinations and don't care about inducing account lockouts.

CAPEC-49: Password Brute Forcing

An adversary tries every possible value for a password until they succeed. A brute force attack, if feasible computationally, will always be successful because it will essentially go through all possible passwords given the alphabet used (lower case letters, upper case letters, numbers, symbols, etc.) and the maximum length of the password.

CAPEC-560: Use of Known Domain Credentials

An adversary guesses or obtains (i.e. steals or purchases) legitimate credentials (e.g. userID/password) to achieve authentication and to perform authorized actions under the guise of an authenticated user or service.

CAPEC-565: Password Spraying

In a Password Spraying attack, an adversary tries a small list (e.g. 3-5) of common or expected passwords, often matching the target's complexity policy, against a known list of user accounts to gain valid credentials. The adversary tries a particular password for each user account, before moving onto the next password in the list. This approach assists the adversary in remaining undetected by avoiding rapid or frequent account lockouts. The adversary may then reattempt the process with additional passwords, once enough time has passed to prevent inducing a lockout.

CAPEC-600: Credential Stuffing

An adversary tries known username/password combinations against different systems, applications, or services to gain additional authenticated access. Credential Stuffing attacks rely upon the fact that many users leverage the same username/password combination for multiple systems, applications, and services.

CAPEC-652: Use of Known Kerberos Credentials

An adversary obtains (i.e. steals or purchases) legitimate Kerberos credentials (e.g. Kerberos service account userID/password or Kerberos Tickets) with the goal of achieving authenticated access to additional systems, applications, or services within the domain.

CAPEC-653: Use of Known Operating System Credentials

An adversary guesses or obtains (i.e. steals or purchases) legitimate operating system credentials (e.g. userID/password) to achieve authentication and to perform authorized actions on the system, under the guise of an authenticated user or service. This applies to any Operating System.