CWE-307
AllowedImproper Restriction of Excessive Authentication Attempts
Abstraction: Base · Status: Draft
The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.
905 vulnerabilities reference this CWE, most recent first.
GHSA-JQGG-5JPG-2HH9
Vulnerability from github – Published: 2022-05-13 01:34 – Updated: 2022-05-13 01:34Pivotal Cloud Foundry On Demand Services SDK, versions prior to 0.24 contain an insecure method of verifying credentials. A remote unauthenticated malicious user may make many requests to the service broker with different credentials, allowing them to infer valid credentials and gain access to perform broker operations.
{
"affected": [],
"aliases": [
"CVE-2018-15759"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-11-19T14:29:00Z",
"severity": "CRITICAL"
},
"details": "Pivotal Cloud Foundry On Demand Services SDK, versions prior to 0.24 contain an insecure method of verifying credentials. A remote unauthenticated malicious user may make many requests to the service broker with different credentials, allowing them to infer valid credentials and gain access to perform broker operations.",
"id": "GHSA-jqgg-5jpg-2hh9",
"modified": "2022-05-13T01:34:08Z",
"published": "2022-05-13T01:34:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-15759"
},
{
"type": "WEB",
"url": "https://pivotal.io/security/cve-2018-15759"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/106019"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JR54-JWHJ-55GP
Vulnerability from github – Published: 2026-06-05 16:03 – Updated: 2026-06-05 16:03Summary
Sign-in response timing differed between known and unknown email addresses because the unknown-user branch returned without performing a password hash comparison.
Details
The unknown-user branch in auth.service.ts now performs a bcrypt.compare against
a fixed dummy hash so the response time of failed sign-ins is approximately
independent of whether the address exists. Rate limiting on the sign-in endpoint is
implemented in the Enterprise build only and is not affected by this advisory.
Impact
A network-positioned attacker could enumerate registered email addresses by timing sign-in responses. Exploitation requires only the ability to send unauthenticated sign-in requests.
Credit
This issue was reported by @AndyAnh174.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "nocodb"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.04.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-47380"
],
"database_specific": {
"cwe_ids": [
"CWE-208",
"CWE-307"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-05T16:03:55Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "### Summary\nSign-in response timing differed between known and unknown email addresses because\nthe unknown-user branch returned without performing a password hash comparison.\n\n### Details\nThe unknown-user branch in `auth.service.ts` now performs a `bcrypt.compare` against\na fixed dummy hash so the response time of failed sign-ins is approximately\nindependent of whether the address exists. Rate limiting on the sign-in endpoint is\nimplemented in the Enterprise build only and is not affected by this advisory.\n\n### Impact\nA network-positioned attacker could enumerate registered email addresses by timing\nsign-in responses. Exploitation requires only the ability to send unauthenticated\nsign-in requests.\n\n### Credit\nThis issue was reported by [@AndyAnh174](https://github.com/AndyAnh174).",
"id": "GHSA-jr54-jwhj-55gp",
"modified": "2026-06-05T16:03:55Z",
"published": "2026-06-05T16:03:55Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/nocodb/nocodb/security/advisories/GHSA-jr54-jwhj-55gp"
},
{
"type": "PACKAGE",
"url": "https://github.com/nocodb/nocodb"
},
{
"type": "WEB",
"url": "https://github.com/nocodb/nocodb/releases/tag/2026.04.1"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "NocoDB: User Enumeration via Sign-In Timing"
}
GHSA-JRC6-WGVP-2F2R
Vulnerability from github – Published: 2022-05-24 17:30 – Updated: 2022-05-24 17:30A ZTE product is impacted by the improper access control vulnerability. Due to lack of an authentication protection mechanism in the program, attackers could use this vulnerability to gain access right through brute-force attacks. This affects:
{
"affected": [],
"aliases": [
"CVE-2020-6875"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-10-05T15:15:00Z",
"severity": "CRITICAL"
},
"details": "A ZTE product is impacted by the improper access control vulnerability. Due to lack of an authentication protection mechanism in the program, attackers could use this vulnerability to gain access right through brute-force attacks. This affects: \u003cZXONE 19700 SNPE\u003e\u003cZXONE8700V1.40R2B13_SNPE\u003e",
"id": "GHSA-jrc6-wgvp-2f2r",
"modified": "2022-05-24T17:30:06Z",
"published": "2022-05-24T17:30:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-6875"
},
{
"type": "WEB",
"url": "http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1013643"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-JRPP-V555-XQMP
Vulnerability from github – Published: 2023-08-08 18:30 – Updated: 2024-04-04 06:41Microsoft Exchange Server Elevation of Privilege Vulnerability
{
"affected": [],
"aliases": [
"CVE-2023-21709"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-08T18:15:11Z",
"severity": "CRITICAL"
},
"details": "Microsoft Exchange Server Elevation of Privilege Vulnerability",
"id": "GHSA-jrpp-v555-xqmp",
"modified": "2024-04-04T06:41:10Z",
"published": "2023-08-08T18:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-21709"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21709"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JV87-32HW-HH99
Vulnerability from github – Published: 2026-03-20 20:47 – Updated: 2026-03-27 21:59Impact
What kind of vulnerability is it? Who is impacted?
MinIO AIStor's STS (Security Token Service) AssumeRoleWithLDAPIdentity endpoint is vulnerable to LDAP credential brute-forcing due to two combined weaknesses: (1) distinguishable error responses that enable username enumeration, and (2) absence of rate limiting on authentication attempts. An unauthenticated network attacker can enumerate valid LDAP usernames and then perform unlimited password guessing to obtain temporary AWS-style STS credentials, gaining access to the victim's S3 buckets and objects.
All deployments with LDAP configured running an affected version are impacted.
There are two vulnerabilities:
- User Enumeration via Distinguishable Error Messages (CWE-204)
- Missing Rate Limiting on STS Authentication Endpoints (CWE-307)
When exploited together, an attacker can:
- Enumerate valid LDAP usernames by observing error message differences.
- Perform high-speed password brute-force attacks against confirmed valid users.
- Upon finding valid credentials, obtain temporary AWS-style STS credentials (
AccessKeyId,SecretAccessKey,SessionToken) with full access to the victim user's S3 resources.
Affected Versions
All MinIO releases through the final release of the minio/minio open-source project.
Patches
Fixed in: MinIO AIStor RELEASE.2026-03-17T21-25-16Z
Binary Downloads
| Platform | Architecture | Download |
|---|---|---|
| Linux | amd64 | minio |
| Linux | arm64 | minio |
| macOS | arm64 | minio |
| macOS | amd64 | minio |
| Windows | amd64 | minio.exe |
FIPS Binaries
| Platform | Architecture | Download |
|---|---|---|
| Linux | amd64 | minio.fips |
| Linux | arm64 | minio.fips |
Package Downloads
| Format | Architecture | Download |
|---|---|---|
| DEB | amd64 | minio_20260317212516.0.0_amd64.deb |
| DEB | arm64 | minio_20260317212516.0.0_arm64.deb |
| RPM | amd64 | minio-20260317212516.0.0-1.x86_64.rpm |
| RPM | arm64 | minio-20260317212516.0.0-1.aarch64.rpm |
Container Images
# Standard
docker pull quay.io/minio/aistor/minio:RELEASE.2026-03-17T21-25-16Z
podman pull quay.io/minio/aistor/minio:RELEASE.2026-03-17T21-25-16Z
# FIPS
docker pull quay.io/minio/aistor/minio:RELEASE.2026-03-17T21-25-16Z.fips
podman pull quay.io/minio/aistor/minio:RELEASE.2026-03-17T21-25-16Z.fips
Homebrew (macOS)
brew install minio/aistor/minio
Workarounds
If upgrading is not immediately possible:
- Network-level rate limiting: Use a reverse proxy (e.g., nginx, HAProxy) or WAF to rate-limit requests to the
/?Action=AssumeRoleWithLDAPIdentityendpoint. - Firewall restrictions: Restrict access to the STS endpoint to trusted networks/IP ranges only.
- LDAP account lockout: Configure account lockout policies on the LDAP server itself (e.g., Active Directory lockout threshold). Note: this protects against brute-force but not enumeration, and may cause denial-of-service for legitimate users.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/minio/minio"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.0.0-20260212201848-7aac2a2c5b7c"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33419"
],
"database_specific": {
"cwe_ids": [
"CWE-204",
"CWE-307"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-20T20:47:54Z",
"nvd_published_at": "2026-03-24T20:16:29Z",
"severity": "CRITICAL"
},
"details": "### Impact\n_What kind of vulnerability is it? Who is impacted?_\n\nMinIO AIStor\u0027s STS (Security Token Service) `AssumeRoleWithLDAPIdentity` endpoint is vulnerable to LDAP credential brute-forcing due to two combined weaknesses: (1) distinguishable error responses that enable username enumeration, and (2) absence of rate limiting on authentication attempts. An unauthenticated network attacker can enumerate valid LDAP usernames and then perform unlimited password guessing to obtain temporary AWS-style STS credentials, gaining access to the victim\u0027s S3 buckets and objects.\n\nAll deployments with LDAP configured running an affected version are impacted.\n\nThere are two vulnerabilities:\n\n1. User Enumeration via Distinguishable Error Messages (CWE-204)\n2. Missing Rate Limiting on STS Authentication Endpoints (CWE-307)\n\nWhen exploited together, an attacker can:\n\n1. Enumerate valid LDAP usernames by observing error message differences.\n3. Perform high-speed password brute-force attacks against confirmed valid users.\n4. Upon finding valid credentials, obtain temporary AWS-style STS credentials (`AccessKeyId`, `SecretAccessKey`, `SessionToken`) with full access to the victim user\u0027s S3 resources.\n\n### Affected Versions\n\nAll MinIO releases through the final release of the minio/minio open-source project.\n\n### Patches\n\n**Fixed in**: MinIO AIStor RELEASE.2026-03-17T21-25-16Z\n\n#### Binary Downloads\n\n| Platform | Architecture | Download |\n| -------- | ------------ | --------------------------------------------------------------------------- |\n| Linux | amd64 | [minio](https://dl.min.io/aistor/minio/release/linux-amd64/minio) |\n| Linux | arm64 | [minio](https://dl.min.io/aistor/minio/release/linux-arm64/minio) |\n| macOS | arm64 | [minio](https://dl.min.io/aistor/minio/release/darwin-arm64/minio) |\n| macOS | amd64 | [minio](https://dl.min.io/aistor/minio/release/darwin-amd64/minio) |\n| Windows | amd64 | [minio.exe](https://dl.min.io/aistor/minio/release/windows-amd64/minio.exe) |\n\n#### FIPS Binaries\n\n| Platform | Architecture | Download |\n| -------- | ------------ | --------------------------------------------------------------------------- |\n| Linux | amd64 | [minio.fips](https://dl.min.io/aistor/minio/release/linux-amd64/minio.fips) |\n| Linux | arm64 | [minio.fips](https://dl.min.io/aistor/minio/release/linux-arm64/minio.fips) |\n\n#### Package Downloads\n\n| Format | Architecture | Download |\n| ------ | ------------ | ----------------------------------------------------------------------------------------------------------------------------------- |\n| DEB | amd64 | [minio_20260317212516.0.0_amd64.deb](https://dl.min.io/aistor/minio/release/linux-amd64/minio_20260317212516.0.0_amd64.deb) |\n| DEB | arm64 | [minio_20260317212516.0.0_arm64.deb](https://dl.min.io/aistor/minio/release/linux-arm64/minio_20260317212516.0.0_arm64.deb) |\n| RPM | amd64 | [minio-20260317212516.0.0-1.x86_64.rpm](https://dl.min.io/aistor/minio/release/linux-amd64/minio-20260317212516.0.0-1.x86_64.rpm) |\n| RPM | arm64 | [minio-20260317212516.0.0-1.aarch64.rpm](https://dl.min.io/aistor/minio/release/linux-arm64/minio-20260317212516.0.0-1.aarch64.rpm) |\n\n#### Container Images\n\n```bash\n# Standard\ndocker pull quay.io/minio/aistor/minio:RELEASE.2026-03-17T21-25-16Z\npodman pull quay.io/minio/aistor/minio:RELEASE.2026-03-17T21-25-16Z\n\n# FIPS\ndocker pull quay.io/minio/aistor/minio:RELEASE.2026-03-17T21-25-16Z.fips\npodman pull quay.io/minio/aistor/minio:RELEASE.2026-03-17T21-25-16Z.fips\n```\n\n#### Homebrew (macOS)\n\n```bash\nbrew install minio/aistor/minio\n```\n \n\n### Workarounds\n\n- [Users of the open-source `minio/minio` project should upgrade to MinIO AIStor `RELEASE.2026-03-17T21-25-16Z` or later.](https://docs.min.io/enterprise/aistor-object-store/upgrade-aistor-server/community-edition/)\n\nIf upgrading is not immediately possible:\n\n- **Network-level rate limiting**: Use a reverse proxy (e.g., nginx, HAProxy) or WAF to rate-limit requests to the `/?Action=AssumeRoleWithLDAPIdentity` endpoint.\n- **Firewall restrictions**: Restrict access to the STS endpoint to trusted networks/IP ranges only.\n- **LDAP account lockout**: Configure account lockout policies on the LDAP server itself (e.g., Active Directory lockout threshold). Note: this protects against brute-force but not enumeration, and may cause denial-of-service for legitimate users.",
"id": "GHSA-jv87-32hw-hh99",
"modified": "2026-03-27T21:59:08Z",
"published": "2026-03-20T20:47:54Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/minio/minio/security/advisories/GHSA-jv87-32hw-hh99"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33419"
},
{
"type": "PACKAGE",
"url": "https://github.com/minio/minio"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "MinIO LDAP login brute-force via user enumeration and missing rate limit"
}
GHSA-JVXM-6MGQ-929W
Vulnerability from github – Published: 2024-03-18 18:32 – Updated: 2024-03-18 18:32CWE-307: Improper Restriction of Excessive Authentication Attempts vulnerability exists that could cause account takeover and unauthorized access to the system when an attacker conducts brute-force attacks against the login form.
{
"affected": [],
"aliases": [
"CVE-2024-2051"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-18T16:15:09Z",
"severity": "CRITICAL"
},
"details": "\nCWE-307: Improper Restriction of Excessive Authentication Attempts vulnerability exists that\ncould cause account takeover and unauthorized access to the system when an attacker\nconducts brute-force attacks against the login form.\n\n",
"id": "GHSA-jvxm-6mgq-929w",
"modified": "2024-03-18T18:32:18Z",
"published": "2024-03-18T18:32:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2051"
},
{
"type": "WEB",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-072-01\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2024-072-01.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JW8X-5MQR-HF4M
Vulnerability from github – Published: 2024-06-29 06:31 – Updated: 2024-06-29 06:31IBM Storage Defender - Resiliency Service 2.0.0 through 2.0.4 uses an inadequate account lockout setting that could allow an attacker on the network to brute force account credentials. IBM X-Force ID: 281678.
{
"affected": [],
"aliases": [
"CVE-2024-25031"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-28T19:15:04Z",
"severity": "MODERATE"
},
"details": "IBM Storage Defender - Resiliency Service 2.0.0 through 2.0.4 uses an inadequate account lockout setting that could allow an attacker on the network to brute force account credentials. IBM X-Force ID: 281678.",
"id": "GHSA-jw8x-5mqr-hf4m",
"modified": "2024-06-29T06:31:39Z",
"published": "2024-06-29T06:31:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25031"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/281678"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7158446"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-JXGV-3JV5-8MH9
Vulnerability from github – Published: 2021-12-01 00:00 – Updated: 2021-12-01 00:00Missing Rate Limiting in Web Applications operating on Business-DNA Solutions GmbH’s TopEase® Platform Version <= 7.1.27 on the Login Form allows an unauthenticated remote attacker to perform multiple login attempts, which facilitates gaining privileges.
{
"affected": [],
"aliases": [
"CVE-2021-42544"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-11-30T12:15:00Z",
"severity": "CRITICAL"
},
"details": "Missing Rate Limiting in Web Applications operating on Business-DNA Solutions GmbH\u00e2\u20ac\u2122s TopEase\u00c2\u00ae Platform Version \u003c= 7.1.27 on the Login Form allows an unauthenticated remote attacker to perform multiple login attempts, which facilitates gaining privileges.",
"id": "GHSA-jxgv-3jv5-8mh9",
"modified": "2021-12-01T00:00:42Z",
"published": "2021-12-01T00:00:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42544"
},
{
"type": "WEB",
"url": "https://confluence.topease.ch/confluence/display/DOC/Release+Notes"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-JXQ8-VF97-XQR3
Vulnerability from github – Published: 2025-01-07 18:30 – Updated: 2025-01-08 21:32JATOS 3.9.4 contains a denial-of-service (DoS) vulnerability in the authentication system, where an attacker can prevent legitimate users from accessing their accounts by repeatedly sending multiple failed login attempts. Specifically, by submitting 3 incorrect login attempts every minute, the attacker can trigger the account lockout mechanism on the account level, effectively locking the user out indefinitely. Since the lockout is applied to the user account and not based on the IP address, any attacker can trigger the lockout on any user account, regardless of their privileges.
{
"affected": [],
"aliases": [
"CVE-2024-55008"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-07T16:15:36Z",
"severity": "HIGH"
},
"details": "JATOS 3.9.4 contains a denial-of-service (DoS) vulnerability in the authentication system, where an attacker can prevent legitimate users from accessing their accounts by repeatedly sending multiple failed login attempts. Specifically, by submitting 3 incorrect login attempts every minute, the attacker can trigger the account lockout mechanism on the account level, effectively locking the user out indefinitely. Since the lockout is applied to the user account and not based on the IP address, any attacker can trigger the lockout on any user account, regardless of their privileges.",
"id": "GHSA-jxq8-vf97-xqr3",
"modified": "2025-01-08T21:32:25Z",
"published": "2025-01-07T18:30:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-55008"
},
{
"type": "WEB",
"url": "https://hacking-notes.medium.com/cve-2024-51379-jatos-v3-9-4-account-lockout-denial-of-service-cc970f4ca58f"
},
{
"type": "WEB",
"url": "http://jatos.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M2FJ-PXHR-MX98
Vulnerability from github – Published: 2023-11-18 00:30 – Updated: 2025-09-29 15:30kodbox 1.46.01 has a security flaw that enables user enumeration. This problem is present on the login page, where an attacker can identify valid users based on varying response messages, potentially paving the way for a brute force attack.
{
"affected": [],
"aliases": [
"CVE-2023-48028"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-18T00:15:07Z",
"severity": "CRITICAL"
},
"details": "kodbox 1.46.01 has a security flaw that enables user enumeration. This problem is present on the login page, where an attacker can identify valid users based on varying response messages, potentially paving the way for a brute force attack.",
"id": "GHSA-m2fj-pxhr-mx98",
"modified": "2025-09-29T15:30:29Z",
"published": "2023-11-18T00:30:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48028"
},
{
"type": "WEB",
"url": "https://gist.github.com/bugplorer/9ae8ad7a9f2a3053ebd07a1b7b54deae"
},
{
"type": "WEB",
"url": "https://nitipoom-jar.github.io/CVE-2023-48028"
},
{
"type": "WEB",
"url": "https://nitipoom-jaroonchaipipat.github.io/security-research-portal/2023-48028"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
- Common protection mechanisms include:
- Disconnecting the user after a small number of failed attempts
- Implementing a timeout
- Locking out a targeted account
- Requiring a computational task on the user's part.
Mitigation MIT-4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482].
- Consider using libraries with authentication capabilities such as OpenSSL or the ESAPI Authenticator. [REF-45]
CAPEC-16: Dictionary-based Password Attack
An attacker tries each of the words in a dictionary as passwords to gain access to the system via some user's account. If the password chosen by the user was a word within the dictionary, this attack will be successful (in the absence of other mitigations). This is a specific instance of the password brute forcing attack pattern.
Dictionary Attacks differ from similar attacks such as Password Spraying (CAPEC-565) and Credential Stuffing (CAPEC-600), since they leverage unknown username/password combinations and don't care about inducing account lockouts.
CAPEC-49: Password Brute Forcing
An adversary tries every possible value for a password until they succeed. A brute force attack, if feasible computationally, will always be successful because it will essentially go through all possible passwords given the alphabet used (lower case letters, upper case letters, numbers, symbols, etc.) and the maximum length of the password.
CAPEC-560: Use of Known Domain Credentials
An adversary guesses or obtains (i.e. steals or purchases) legitimate credentials (e.g. userID/password) to achieve authentication and to perform authorized actions under the guise of an authenticated user or service.
CAPEC-565: Password Spraying
In a Password Spraying attack, an adversary tries a small list (e.g. 3-5) of common or expected passwords, often matching the target's complexity policy, against a known list of user accounts to gain valid credentials. The adversary tries a particular password for each user account, before moving onto the next password in the list. This approach assists the adversary in remaining undetected by avoiding rapid or frequent account lockouts. The adversary may then reattempt the process with additional passwords, once enough time has passed to prevent inducing a lockout.
CAPEC-600: Credential Stuffing
An adversary tries known username/password combinations against different systems, applications, or services to gain additional authenticated access. Credential Stuffing attacks rely upon the fact that many users leverage the same username/password combination for multiple systems, applications, and services.
CAPEC-652: Use of Known Kerberos Credentials
An adversary obtains (i.e. steals or purchases) legitimate Kerberos credentials (e.g. Kerberos service account userID/password or Kerberos Tickets) with the goal of achieving authenticated access to additional systems, applications, or services within the domain.
CAPEC-653: Use of Known Operating System Credentials
An adversary guesses or obtains (i.e. steals or purchases) legitimate operating system credentials (e.g. userID/password) to achieve authentication and to perform authorized actions on the system, under the guise of an authenticated user or service. This applies to any Operating System.