Common Weakness Enumeration

CWE-307

Allowed

Improper Restriction of Excessive Authentication Attempts

Abstraction: Base · Status: Draft

The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.

905 vulnerabilities reference this CWE, most recent first.

GHSA-C55X-J339-WQ86

Vulnerability from github – Published: 2024-11-12 15:30 – Updated: 2024-11-12 15:30
VLAI
Details

A vulnerability was found in Digistar AG-30 Plus 2.6b. It has been classified as problematic. Affected is an unknown function of the component Login Page. The manipulation leads to improper restriction of excessive authentication attempts. The complexity of an attack is rather high. The exploitability is told to be difficult. The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-11126"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-307"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-12T15:15:06Z",
    "severity": "LOW"
  },
  "details": "A vulnerability was found in Digistar AG-30 Plus 2.6b. It has been classified as problematic. Affected is an unknown function of the component Login Page. The manipulation leads to improper restriction of excessive authentication attempts. The complexity of an attack is rather high. The exploitability is told to be difficult. The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-c55x-j339-wq86",
  "modified": "2024-11-12T15:30:43Z",
  "published": "2024-11-12T15:30:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11126"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.283974"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.283974"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.437096"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-C69X-5XMW-V44X

Vulnerability from github – Published: 2024-03-06 15:25 – Updated: 2025-04-10 23:07
VLAI
Summary
CasaOS Improper Restriction of Excessive Authentication Attempts vulnerability
Details

Summary

Here it is observed that the CasaOS doesn't defend against password brute force attacks, which leads to having full access to the server.

Details

The web application lacks control over the login attempts i.e. why attacker can use a password brute force attack to find and get full access over the.

PoC

  1. Capture login request in proxy tool like Burp Suite and select password field.

1

  1. Here I have started attack with total number of 271 password tries where the last one is the correct password and as we can see in the following image we get a 400 Bad Request status code with the message "Invalid Password" and response length 769 on 1st request which was sent at Tue, 16 Jan 2024 18:31:32 GMT

2

Note: We have tested this vulnerability with more than 3400 tries. We have used 271 request counts just for demo purposes.

  1. Here the attack is completed and we can see in the following image we get 200 OK status code with the message "Ok" and response length 1509 on 271st request which was sent at Tue, 16 Jan 2024 18:32:01 GMT.

3

This means attacker can try 271 requests in 56 seconds.

Impact

This vulnerability allows attackers to get super user-level access over the server.

Mitigation

It is recommended to implement a proper rate-limiting mechanism on the server side where the configuration might be like: If a specific IP address fails to login more than 5 times concurrently then that IP address must be blocked for at least 30 seconds. This will reduce the possibility of password brute-forcing attacks.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/IceWhaleTech/CasaOS-UserService"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.4.4.3"
            },
            {
              "fixed": "0.4.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-24767"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-307"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-06T15:25:08Z",
    "nvd_published_at": "2024-03-06T18:15:46Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nHere it is observed that the CasaOS doesn\u0027t defend against password brute force attacks, which leads to having full access to the server.\n\n### Details\nThe web application lacks control over the login attempts i.e. why attacker can use a password brute force attack to find and get full access over the.\n\n### PoC\n1. Capture login request in proxy tool like Burp Suite and select password field.\n\n![1](https://user-images.githubusercontent.com/63414468/297156515-0272bfd7-f386-4c22-b3bd-c4dbdc1298bf.PNG)\n\n2. Here I have started attack with total number of 271 password tries where the last one is the correct password and as we can see in the following image we get a **400 Bad Request** status code with the message \"**Invalid Password**\" and response length **769** on 1st request which was sent at **_Tue, 16 Jan 2024 18:31:32 GMT_**\n\n![2](https://user-images.githubusercontent.com/63414468/297157815-c158995b-7d46-4a5a-aef9-bcbbcf596b15.png)\n\n**Note**:  _We have tested this vulnerability with more than 3400 tries. We have used 271 request counts just for demo purposes._\n\n\n3. Here the attack is completed and we can see in the following image we get **200 OK** status code with the message \"**Ok**\" and response length **1509** on 271st request which was sent at **_Tue, 16 Jan 2024 18:32:01 GMT_**.\n\n![3](https://user-images.githubusercontent.com/63414468/297159282-3f4788b5-6217-4f32-8be6-40ac117710e3.png)\n\nThis means attacker can try 271 requests in 56 seconds.\n\n### Impact\nThis vulnerability allows attackers to get super user-level access over the server.\n\n\n### Mitigation\nIt is recommended to implement a proper rate-limiting mechanism on the server side where the configuration might be like:\nIf a specific IP address fails to login more than 5 times concurrently then that IP address must be blocked for at least 30 seconds. This will reduce the possibility of password brute-forcing attacks.",
  "id": "GHSA-c69x-5xmw-v44x",
  "modified": "2025-04-10T23:07:21Z",
  "published": "2024-03-06T15:25:08Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/IceWhaleTech/CasaOS-UserService/security/advisories/GHSA-c69x-5xmw-v44x"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24767"
    },
    {
      "type": "WEB",
      "url": "https://github.com/IceWhaleTech/CasaOS-UserService/commit/62006f61b55951048dbace4ebd9e483274838699"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/IceWhaleTech/CasaOS-UserService"
    },
    {
      "type": "WEB",
      "url": "https://github.com/IceWhaleTech/CasaOS-UserService/releases/tag/v0.4.7"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2024-2614"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "CasaOS Improper Restriction of Excessive Authentication Attempts vulnerability"
}

GHSA-C6GR-MFC7-Q7H7

Vulnerability from github – Published: 2022-05-13 01:49 – Updated: 2022-05-13 01:49
VLAI
Details

An issue was discovered in app/Controller/UsersController.php in MISP 2.4.92. An adversary can bypass the brute-force protection by using a PUT HTTP method instead of a POST HTTP method in the login part, because this protection was only covering POST requests.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-12649"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-307"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-06-22T14:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "An issue was discovered in app/Controller/UsersController.php in MISP 2.4.92. An adversary can bypass the brute-force protection by using a PUT HTTP method instead of a POST HTTP method in the login part, because this protection was only covering POST requests.",
  "id": "GHSA-c6gr-mfc7-q7h7",
  "modified": "2022-05-13T01:49:37Z",
  "published": "2022-05-13T01:49:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12649"
    },
    {
      "type": "WEB",
      "url": "https://github.com/MISP/MISP/commit/6ffacc1e239930e0e8464d0ca16e432e26cf36a9"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C7Q6-PRXW-FGX7

Vulnerability from github – Published: 2024-01-22 18:31 – Updated: 2024-01-22 18:31
VLAI
Details

The Omron FINS protocol has an authenticated feature to prevent access to memory regions. Authentication is susceptible to bruteforce attack, which may allow an adversary to gain access to protected memory. This access can allow overwrite of values including programmed logic.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-45790"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-307"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-01-22T18:15:19Z",
    "severity": "HIGH"
  },
  "details": "The Omron FINS protocol has an authenticated feature to prevent access to memory regions. Authentication is susceptible to bruteforce attack, which may allow an adversary to gain access to protected memory. This access can allow overwrite of values including programmed logic.",
  "id": "GHSA-c7q6-prxw-fgx7",
  "modified": "2024-01-22T18:31:16Z",
  "published": "2024-01-22T18:31:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45790"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-262-05"
    },
    {
      "type": "WEB",
      "url": "https://www.dragos.com/advisory/omron-plc-and-engineering-software-network-and-file-format-access"
    },
    {
      "type": "WEB",
      "url": "https://www.fa.omron.co.jp/product/security/assets/pdf/en/OMSR-2023-010_en.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C83P-437R-FPV6

Vulnerability from github – Published: 2022-05-25 00:00 – Updated: 2022-06-09 00:00
VLAI
Details

A vulnerability classified as critical was found in Telecommunication Software SAMwin Contact Center Suite 5.1. This vulnerability affects the function passwordScramble in the library SAMwinLIBVB.dll of the component Password Handler. Incorrect implementation of a hashing function leads to predictable authentication possibilities. Upgrading to version 6.2 is able to address this issue. It is recommended to upgrade the affected component.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2013-10004"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-307"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-05-24T16:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "A vulnerability classified as critical was found in Telecommunication Software SAMwin Contact Center Suite 5.1. This vulnerability affects the function passwordScramble in the library SAMwinLIBVB.dll of the component Password Handler. Incorrect implementation of a hashing function leads to predictable authentication possibilities. Upgrading to version 6.2 is able to address this issue. It is recommended to upgrade the affected component.",
  "id": "GHSA-c83p-437r-fpv6",
  "modified": "2022-06-09T00:00:19Z",
  "published": "2022-05-25T00:00:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-10004"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.12790"
    },
    {
      "type": "WEB",
      "url": "http://www.modzero.ch/advisories/MZ-13-07_SAMwin_Collisions.txt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C875-CGWJ-4FJW

Vulnerability from github – Published: 2022-05-24 19:18 – Updated: 2022-05-24 19:18
VLAI
Details

GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A certain csrf_token value is derived from the admin password, and may be useful in conducting a brute-force attack against that password.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-42096"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-307"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-10-21T01:15:00Z",
    "severity": "MODERATE"
  },
  "details": "GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A certain csrf_token value is derived from the admin password, and may be useful in conducting a brute-force attack against that password.",
  "id": "GHSA-c875-cgwj-4fjw",
  "modified": "2022-05-24T19:18:31Z",
  "published": "2022-05-24T19:18:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42096"
    },
    {
      "type": "WEB",
      "url": "https://bugs.launchpad.net/mailman/+bug/1947639"
    },
    {
      "type": "WEB",
      "url": "https://mail.python.org/archives/list/mailman-announce@python.org/thread/IKCO6JU755AP5G5TKMBJL6IEZQTTNPDQ"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2021/dsa-4991"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2021/10/21/4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-C8VC-VJPF-2FPH

Vulnerability from github – Published: 2022-05-17 19:57 – Updated: 2022-05-17 19:57
VLAI
Details

The session.lua library in CGILua 5.2 alpha 1 and 5.2 alpha 2 uses weak session IDs generated based on OS time, which allows remote attackers to hijack arbitrary sessions via a brute force attack. NOTE: CVE-2014-10300 and CVE-2014-10400 were SPLIT from this ID.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2014-2875"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-307"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-02-06T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The session.lua library in CGILua 5.2 alpha 1 and 5.2 alpha 2 uses weak session IDs generated based on OS time, which allows remote attackers to hijack arbitrary sessions via a brute force attack. NOTE: CVE-2014-10300 and CVE-2014-10400 were SPLIT from this ID.",
  "id": "GHSA-c8vc-vjpf-2fph",
  "modified": "2022-05-17T19:57:24Z",
  "published": "2022-05-17T19:57:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-2875"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2014/Apr/318"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/531981/100/0/threaded"
    },
    {
      "type": "WEB",
      "url": "http://www.syhunt.com/en/index.php?n=Advisories.Cgilua-weaksessionid"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-C8XV-5VHV-HV2H

Vulnerability from github – Published: 2022-06-09 00:00 – Updated: 2022-06-22 00:00
VLAI
Details

An issue was discovered in certain Verbatim drives through 2022-03-31. Due to an insecure design, they allow an offline brute-force attack for determining the correct passcode, and thus gaining unauthorized access to the stored encrypted data. This affects Keypad Secure USB 3.2 Gen 1 Drive Part Number #49428 and Store 'n' Go Secure Portable HDD GD25LK01-3637-C VER4.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-28384"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-307"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-06-08T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in certain Verbatim drives through 2022-03-31. Due to an insecure design, they allow an offline brute-force attack for determining the correct passcode, and thus gaining unauthorized access to the stored encrypted data. This affects Keypad Secure USB 3.2 Gen 1 Drive Part Number #49428 and Store \u0027n\u0027 Go Secure Portable HDD GD25LK01-3637-C VER4.0.",
  "id": "GHSA-c8xv-5vhv-hv2h",
  "modified": "2022-06-22T00:00:54Z",
  "published": "2022-06-09T00:00:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28384"
    },
    {
      "type": "WEB",
      "url": "https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-001.txt"
    },
    {
      "type": "WEB",
      "url": "https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-005.txt"
    },
    {
      "type": "WEB",
      "url": "https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-043.txt"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/167481/Verbatim-Keypad-Secure-USB-3.2-Gen-1-Drive-Cryptography-Issue.html"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/167499/Verbatim-Store-N-Go-Secure-Portable-HDD-GD25LK01-3637-C-VER4.0-Risky-Crypto.html"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2022/Jun/17"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2022/Jun/8"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2022/Oct/3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C9VG-RVHJ-XXHH

Vulnerability from github – Published: 2026-02-07 21:30 – Updated: 2026-02-07 21:30
VLAI
Details

A security flaw has been discovered in Tasin1025 SwiftBuy up to 0f5011372e8d1d7edfd642d57d721c9fadc54ec7. Affected by this vulnerability is an unknown functionality of the file /login.php. Performing a manipulation results in improper restriction of excessive authentication attempts. Remote exploitation of the attack is possible. The attack's complexity is rated as high. The exploitation appears to be difficult. The exploit has been released to the public and may be used for attacks. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-2110"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-307"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-07T20:15:56Z",
    "severity": "MODERATE"
  },
  "details": "A security flaw has been discovered in Tasin1025 SwiftBuy up to 0f5011372e8d1d7edfd642d57d721c9fadc54ec7. Affected by this vulnerability is an unknown functionality of the file /login.php. Performing a manipulation results in improper restriction of excessive authentication attempts. Remote exploitation of the attack is possible. The attack\u0027s complexity is rated as high. The exploitation appears to be difficult. The exploit has been released to the public and may be used for attacks. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-c9vg-rvhj-xxhh",
  "modified": "2026-02-07T21:30:18Z",
  "published": "2026-02-07T21:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2110"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.344686"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.344686"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.746251"
    },
    {
      "type": "WEB",
      "url": "https://www.websecurityinsights.my.id/2026/01/swiftbuy-v-10-loginphp-no-limit-to.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-CCVQ-2HFM-57F3

Vulnerability from github – Published: 2024-01-11 21:31 – Updated: 2024-01-19 15:30
VLAI
Details

The number of attempts to bring the Hozard Alarm system (alarmsystemen) v1.0 to a disarmed state is not limited. This could allow an attacker to perform a brute force on the SMS authentication, to bring the alarm system to a disarmed state.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-50123"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-307"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-01-11T21:15:10Z",
    "severity": "HIGH"
  },
  "details": "The number of attempts to bring the Hozard Alarm system (alarmsystemen) v1.0 to a disarmed state is not limited. This could allow an attacker to perform a brute force on the SMS authentication, to bring the alarm system to a disarmed state.",
  "id": "GHSA-ccvq-2hfm-57f3",
  "modified": "2024-01-19T15:30:18Z",
  "published": "2024-01-11T21:31:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50123"
    },
    {
      "type": "WEB",
      "url": "https://www.secura.com/services/iot/consumer-products/security-concerns-in-popular-smart-home-devices"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design
  • Common protection mechanisms include:
  • Disconnecting the user after a small number of failed attempts
  • Implementing a timeout
  • Locking out a targeted account
  • Requiring a computational task on the user's part.
Mitigation MIT-4
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482].
  • Consider using libraries with authentication capabilities such as OpenSSL or the ESAPI Authenticator. [REF-45]
CAPEC-16: Dictionary-based Password Attack

An attacker tries each of the words in a dictionary as passwords to gain access to the system via some user's account. If the password chosen by the user was a word within the dictionary, this attack will be successful (in the absence of other mitigations). This is a specific instance of the password brute forcing attack pattern.

Dictionary Attacks differ from similar attacks such as Password Spraying (CAPEC-565) and Credential Stuffing (CAPEC-600), since they leverage unknown username/password combinations and don't care about inducing account lockouts.

CAPEC-49: Password Brute Forcing

An adversary tries every possible value for a password until they succeed. A brute force attack, if feasible computationally, will always be successful because it will essentially go through all possible passwords given the alphabet used (lower case letters, upper case letters, numbers, symbols, etc.) and the maximum length of the password.

CAPEC-560: Use of Known Domain Credentials

An adversary guesses or obtains (i.e. steals or purchases) legitimate credentials (e.g. userID/password) to achieve authentication and to perform authorized actions under the guise of an authenticated user or service.

CAPEC-565: Password Spraying

In a Password Spraying attack, an adversary tries a small list (e.g. 3-5) of common or expected passwords, often matching the target's complexity policy, against a known list of user accounts to gain valid credentials. The adversary tries a particular password for each user account, before moving onto the next password in the list. This approach assists the adversary in remaining undetected by avoiding rapid or frequent account lockouts. The adversary may then reattempt the process with additional passwords, once enough time has passed to prevent inducing a lockout.

CAPEC-600: Credential Stuffing

An adversary tries known username/password combinations against different systems, applications, or services to gain additional authenticated access. Credential Stuffing attacks rely upon the fact that many users leverage the same username/password combination for multiple systems, applications, and services.

CAPEC-652: Use of Known Kerberos Credentials

An adversary obtains (i.e. steals or purchases) legitimate Kerberos credentials (e.g. Kerberos service account userID/password or Kerberos Tickets) with the goal of achieving authenticated access to additional systems, applications, or services within the domain.

CAPEC-653: Use of Known Operating System Credentials

An adversary guesses or obtains (i.e. steals or purchases) legitimate operating system credentials (e.g. userID/password) to achieve authentication and to perform authorized actions on the system, under the guise of an authenticated user or service. This applies to any Operating System.