Common Weakness Enumeration

CWE-307

Allowed

Improper Restriction of Excessive Authentication Attempts

Abstraction: Base · Status: Draft

The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.

900 vulnerabilities reference this CWE, most recent first.

GHSA-JJ96-GGR5-64RP

Vulnerability from github – Published: 2022-05-17 03:46 – Updated: 2025-11-05 00:31
VLAI
Details

Beckhoff Embedded PC images before 2014-10-22 and Automation Device Specification (ADS) TwinCAT components do not restrict the number of authentication attempts, which makes it easier for remote attackers to obtain access via a brute-force attack.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2014-5414"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-307"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2016-10-05T10:59:00Z",
    "severity": "CRITICAL"
  },
  "details": "Beckhoff Embedded PC images before 2014-10-22 and Automation Device Specification (ADS) TwinCAT components do not restrict the number of authentication attempts, which makes it easier for remote attackers to obtain access via a brute-force attack.",
  "id": "GHSA-jj96-ggr5-64rp",
  "modified": "2025-11-05T00:31:12Z",
  "published": "2022-05-17T03:46:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-5414"
    },
    {
      "type": "WEB",
      "url": "https://download.beckhoff.com/download/document/product-security/Advisories/advisory-2014-001.pdf"
    },
    {
      "type": "WEB",
      "url": "https://download.beckhoff.com/download/document/product-security/Advisories/advisory-2014-002.pdf"
    },
    {
      "type": "WEB",
      "url": "https://download.beckhoff.com/download/document/product-security/Advisories/advisory-2014-003.pdf"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2016/icsa-16-278-02.json"
    },
    {
      "type": "WEB",
      "url": "https://ics-cert.us-cert.gov/advisories/ICSA-16-278-02"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-16-278-02"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/93349"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JJJW-R883-R73W

Vulnerability from github – Published: 2022-05-13 01:38 – Updated: 2022-05-13 01:38
VLAI
Details

When the device is configured to perform account lockout with a defined period of time, any unauthenticated user attempting to log in as root with an incorrect password can trigger a lockout of the root account. When an SRX Series device is in cluster mode, and a cluster sync or failover operation occurs, then there will be errors associated with synch or failover while the root account is locked out. Administrators can confirm if the root account is locked out via the following command root@device> show system login lockout user root User Lockout start Lockout end root 1995-01-01 01:00:01 PDT 1995-11-01 01:31:01 PDT Affected releases are Juniper Networks Junos OS 12.1X46 prior to 12.1X46-D65 on SRX series; 12.3X48 prior to 12.3X48-D45 on SRX series; 15.1X49 prior to 15.1X49-D75 on SRX series.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-10604"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-307"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-07-17T13:18:00Z",
    "severity": "MODERATE"
  },
  "details": "When the device is configured to perform account lockout with a defined period of time, any unauthenticated user attempting to log in as root with an incorrect password can trigger a lockout of the root account. When an SRX Series device is in cluster mode, and a cluster sync or failover operation occurs, then there will be errors associated with synch or failover while the root account is locked out. Administrators can confirm if the root account is locked out via the following command root@device\u003e show system login lockout user root User Lockout start Lockout end root 1995-01-01 01:00:01 PDT 1995-11-01 01:31:01 PDT Affected releases are Juniper Networks Junos OS 12.1X46 prior to 12.1X46-D65 on SRX series; 12.3X48 prior to 12.3X48-D45 on SRX series; 15.1X49 prior to 15.1X49-D75 on SRX series.",
  "id": "GHSA-jjjw-r883-r73w",
  "modified": "2022-05-13T01:38:22Z",
  "published": "2022-05-13T01:38:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-10604"
    },
    {
      "type": "WEB",
      "url": "https://kb.juniper.net/JSA10806"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1038886"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JJM2-VHRM-92VG

Vulnerability from github – Published: 2025-03-20 12:32 – Updated: 2025-03-20 12:32
VLAI
Details

langgenius/dify version v0.10.1 contains a vulnerability where there are no limits applied to the number of code guess attempts for password reset. This allows an unauthenticated attacker to reset owner, admin, or other user passwords within a few hours by guessing the six-digit code, resulting in a complete compromise of the application.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-12039"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-307"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-20T10:15:26Z",
    "severity": "HIGH"
  },
  "details": "langgenius/dify version v0.10.1 contains a vulnerability where there are no limits applied to the number of code guess attempts for password reset. This allows an unauthenticated attacker to reset owner, admin, or other user passwords within a few hours by guessing the six-digit code, resulting in a complete compromise of the application.",
  "id": "GHSA-jjm2-vhrm-92vg",
  "modified": "2025-03-20T12:32:42Z",
  "published": "2025-03-20T12:32:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12039"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/61af30d5-6055-4c6c-8a55-3fa43dada512"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JJMX-7VPW-FCC5

Vulnerability from github – Published: 2026-01-08 18:30 – Updated: 2026-01-08 18:30
VLAI
Details

The LuCI web interface on Gl Inet GL.Inet AX1800 Version 4.6.4 & 4.6.8 are vulnerable. Fix available in version 4.8.2 GL.Inet AX1800 Version 4.6.4 & 4.6.8 lacks rate limiting or account lockout mechanisms on the authentication endpoint (/cgi-bin/luci). An unauthenticated attacker on the local network can perform unlimited password attempts against the admin interface.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-67090"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-307"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-08T16:15:45Z",
    "severity": "MODERATE"
  },
  "details": "The LuCI web interface on Gl Inet GL.Inet AX1800 Version 4.6.4 \u0026 4.6.8 are vulnerable. Fix available in version 4.8.2 GL.Inet AX1800 Version 4.6.4 \u0026 4.6.8 lacks rate limiting or account lockout mechanisms on the authentication endpoint (`/cgi-bin/luci`). An unauthenticated attacker on the local network can perform unlimited password attempts against the admin interface.",
  "id": "GHSA-jjmx-7vpw-fcc5",
  "modified": "2026-01-08T18:30:49Z",
  "published": "2026-01-08T18:30:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67090"
    },
    {
      "type": "WEB",
      "url": "https://aleksazatezalo.medium.com/critical-command-injection-vulnerability-in-gl-inet-gl-axt1800-router-firmware-e6d67d81ee51"
    },
    {
      "type": "WEB",
      "url": "https://aleksazatezalo.medium.com/critical-command-injection-vulnerability-in-gl-inet-gl-axt1800-router-firmware-e6d67d81ee51?postPublishedType=repub"
    },
    {
      "type": "WEB",
      "url": "https://www.gl-inet.com/security"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JMMG-JQC7-5QF4

Vulnerability from github – Published: 2026-03-03 22:18 – Updated: 2026-03-20 21:13
VLAI
Summary
OpenClaw's browser-origin WebSocket auth hardening gap could enable loopback password brute-force chains
Details

This issue is a browser-origin WebSocket auth chain on local loopback deployments using password auth. It is serious, but conditional: an attacker must get the user to open a malicious page and then successfully guess the gateway password.

Context and Preconditions

OpenClaw’s web/gateway surface is designed for local use and trusted-operator workflows. In affected versions, a browser-origin client could combine three behaviors:

  • Origin checks not enforced for some non-Control-UI WebSocket client IDs.
  • Loopback auth attempts exempt from password-failure throttling.
  • Silent local pairing path available to browser-origin non-Control-UI clients.

Successful exploitation requires all of the following:

  • Gateway reachable on loopback (default).
  • Password auth mode in use.
  • Victim opens attacker-controlled web content.
  • Password is guessable within feasible brute-force/dictionary attempts.

Practical Impact

If the password is guessed, an attacker can establish an authenticated operator WebSocket session and invoke control-plane methods available to that role. This is not an unauthenticated internet-exposed RCE class issue by itself; it is a local browser-origin auth-hardening gap with meaningful impact under the conditions above.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Affected versions: <=2026.2.24 (latest published npm version as of February 26, 2026)
  • Patched versions : >=2026.2.25

Fix Commit(s)

  • c736f11a16d6bc27ea62a0fe40fffae4cb071fdb

Fix Details

  • Enforce browser-origin checks for direct browser WebSocket clients beyond Control UI/Webchat (trusted-proxy forwarded flows remain supported).
  • Apply browser-origin auth failure throttling with loopback exemption disabled.
  • Block silent auto-pairing for non-Control-UI browser-origin clients.

Release Process Note

patched_versions is pre-set to the planned next npm release (2026.2.25) so once that release is published, the advisory is published.

OpenClaw thanks @luz-oasis for reporting.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2026.2.24"
      },
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.2.25"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-32025"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-307",
      "CWE-346"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-03T22:18:09Z",
    "nvd_published_at": "2026-03-19T22:16:37Z",
    "severity": "MODERATE"
  },
  "details": "This issue is a browser-origin WebSocket auth chain on local loopback deployments using password auth. It is serious, but conditional: an attacker must get the user to open a malicious page and then successfully guess the gateway password.\n\n## Context and Preconditions\n\nOpenClaw\u2019s web/gateway surface is designed for local use and trusted-operator workflows. In affected versions, a browser-origin client could combine three behaviors:\n\n- Origin checks not enforced for some non-Control-UI WebSocket client IDs.\n- Loopback auth attempts exempt from password-failure throttling.\n- Silent local pairing path available to browser-origin non-Control-UI clients.\n\nSuccessful exploitation requires all of the following:\n\n- Gateway reachable on loopback (default).\n- Password auth mode in use.\n- Victim opens attacker-controlled web content.\n- Password is guessable within feasible brute-force/dictionary attempts.\n\n## Practical Impact\n\nIf the password is guessed, an attacker can establish an authenticated operator WebSocket session and invoke control-plane methods available to that role. This is not an unauthenticated internet-exposed RCE class issue by itself; it is a local browser-origin auth-hardening gap with meaningful impact under the conditions above.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `\u003c=2026.2.24` (latest published npm version as of February 26, 2026)\n- Patched versions : `\u003e=2026.2.25`\n\n## Fix Commit(s)\n\n- `c736f11a16d6bc27ea62a0fe40fffae4cb071fdb`\n\n## Fix Details\n\n- Enforce browser-origin checks for direct browser WebSocket clients beyond Control UI/Webchat (trusted-proxy forwarded flows remain supported).\n- Apply browser-origin auth failure throttling with loopback exemption disabled.\n- Block silent auto-pairing for non-Control-UI browser-origin clients.\n\n## Release Process Note\n\n`patched_versions` is pre-set to the planned next npm release (`2026.2.25`) so once that release is published, the advisory is published.\n\nOpenClaw thanks @luz-oasis for reporting.",
  "id": "GHSA-jmmg-jqc7-5qf4",
  "modified": "2026-03-20T21:13:30Z",
  "published": "2026-03-03T22:18:09Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-jmmg-jqc7-5qf4"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32025"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/c736f11a16d6bc27ea62a0fe40fffae4cb071fdb"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-password-brute-force-via-browser-origin-websocket-authentication-bypass"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw\u0027s browser-origin WebSocket auth hardening gap could enable loopback password brute-force chains"
}

GHSA-JQ2F-3XC4-634F

Vulnerability from github – Published: 2022-05-13 01:38 – Updated: 2025-04-20 03:34
VLAI
Details

Revive Adserver before 3.2.3 suffers from Improper Restriction of Excessive Authentication Attempts. The login page of Revive Adserver is vulnerable to password-guessing attacks. An account lockdown feature was considered, but rejected to avoid introducing service disruptions to regular users during such attacks. A random delay has instead been introduced as a countermeasure in case of password failures, along with a system to discourage parallel brute forcing. These systems will effectively allow the valid users to log in to the adserver, even while an attack is in progress.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-9124"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-307"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-03-28T02:59:00Z",
    "severity": "CRITICAL"
  },
  "details": "Revive Adserver before 3.2.3 suffers from Improper Restriction of Excessive Authentication Attempts. The login page of Revive Adserver is vulnerable to password-guessing attacks. An account lockdown feature was considered, but rejected to avoid introducing service disruptions to regular users during such attacks. A random delay has instead been introduced as a countermeasure in case of password failures, along with a system to discourage parallel brute forcing. These systems will effectively allow the valid users to log in to the adserver, even while an attack is in progress.",
  "id": "GHSA-jq2f-3xc4-634f",
  "modified": "2025-04-20T03:34:57Z",
  "published": "2022-05-13T01:38:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-9124"
    },
    {
      "type": "WEB",
      "url": "https://github.com/revive-adserver/revive-adserver/commit/847941390f5b3310d51b07c92ec91cc1f4cc82c9"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/96115"
    },
    {
      "type": "WEB",
      "url": "https://www.revive-adserver.com/security/revive-sa-2016-001"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JQ67-R98P-22QP

Vulnerability from github – Published: 2026-02-27 18:31 – Updated: 2026-02-27 18:31
VLAI
Details

SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 contain an authentication bypass vulnerability that allows remote attackers to perform unlimited login attempts against the management interface. Attackers can conduct online password guessing attacks without account lockout or rate limiting restrictions to gain unauthorized access to the device management interface.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-27753"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-307"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-27T18:16:13Z",
    "severity": "MODERATE"
  },
  "details": "SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 contain an authentication bypass vulnerability that allows remote attackers to perform unlimited login attempts against the management interface. Attackers can conduct online password guessing attacks without account lockout or rate limiting restrictions to gain unauthorized access to the device management interface.",
  "id": "GHSA-jq67-r98p-22qp",
  "modified": "2026-02-27T18:31:06Z",
  "published": "2026-02-27T18:31:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27753"
    },
    {
      "type": "WEB",
      "url": "https://www.sodola-network.com/products/sodola-6-port-2-5g-easy-web-managed-switch-4-x-2-5g-base-t-ports-2-x-10g-sfp-static-aggregation-qos-vlan-igmp-2-5gb-network-home-lab-switch"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/sodola-sl902-swtgw124as-improper-login-rate-limiting"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-JQGG-5JPG-2HH9

Vulnerability from github – Published: 2022-05-13 01:34 – Updated: 2022-05-13 01:34
VLAI
Details

Pivotal Cloud Foundry On Demand Services SDK, versions prior to 0.24 contain an insecure method of verifying credentials. A remote unauthenticated malicious user may make many requests to the service broker with different credentials, allowing them to infer valid credentials and gain access to perform broker operations.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-15759"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-307"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-11-19T14:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "Pivotal Cloud Foundry On Demand Services SDK, versions prior to 0.24 contain an insecure method of verifying credentials. A remote unauthenticated malicious user may make many requests to the service broker with different credentials, allowing them to infer valid credentials and gain access to perform broker operations.",
  "id": "GHSA-jqgg-5jpg-2hh9",
  "modified": "2022-05-13T01:34:08Z",
  "published": "2022-05-13T01:34:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-15759"
    },
    {
      "type": "WEB",
      "url": "https://pivotal.io/security/cve-2018-15759"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/106019"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JR54-JWHJ-55GP

Vulnerability from github – Published: 2026-06-05 16:03 – Updated: 2026-06-05 16:03
VLAI
Summary
NocoDB: User Enumeration via Sign-In Timing
Details

Summary

Sign-in response timing differed between known and unknown email addresses because the unknown-user branch returned without performing a password hash comparison.

Details

The unknown-user branch in auth.service.ts now performs a bcrypt.compare against a fixed dummy hash so the response time of failed sign-ins is approximately independent of whether the address exists. Rate limiting on the sign-in endpoint is implemented in the Enterprise build only and is not affected by this advisory.

Impact

A network-positioned attacker could enumerate registered email addresses by timing sign-in responses. Exploitation requires only the ability to send unauthenticated sign-in requests.

Credit

This issue was reported by @AndyAnh174.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "nocodb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.04.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-47380"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-208",
      "CWE-307"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-05T16:03:55Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "### Summary\nSign-in response timing differed between known and unknown email addresses because\nthe unknown-user branch returned without performing a password hash comparison.\n\n### Details\nThe unknown-user branch in `auth.service.ts` now performs a `bcrypt.compare` against\na fixed dummy hash so the response time of failed sign-ins is approximately\nindependent of whether the address exists. Rate limiting on the sign-in endpoint is\nimplemented in the Enterprise build only and is not affected by this advisory.\n\n### Impact\nA network-positioned attacker could enumerate registered email addresses by timing\nsign-in responses. Exploitation requires only the ability to send unauthenticated\nsign-in requests.\n\n### Credit\nThis issue was reported by [@AndyAnh174](https://github.com/AndyAnh174).",
  "id": "GHSA-jr54-jwhj-55gp",
  "modified": "2026-06-05T16:03:55Z",
  "published": "2026-06-05T16:03:55Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nocodb/nocodb/security/advisories/GHSA-jr54-jwhj-55gp"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nocodb/nocodb"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nocodb/nocodb/releases/tag/2026.04.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "NocoDB: User Enumeration via Sign-In Timing"
}

GHSA-JRC6-WGVP-2F2R

Vulnerability from github – Published: 2022-05-24 17:30 – Updated: 2022-05-24 17:30
VLAI
Details

A ZTE product is impacted by the improper access control vulnerability. Due to lack of an authentication protection mechanism in the program, attackers could use this vulnerability to gain access right through brute-force attacks. This affects:

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-6875"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-307"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-10-05T15:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "A ZTE product is impacted by the improper access control vulnerability. Due to lack of an authentication protection mechanism in the program, attackers could use this vulnerability to gain access right through brute-force attacks. This affects: \u003cZXONE 19700 SNPE\u003e\u003cZXONE8700V1.40R2B13_SNPE\u003e",
  "id": "GHSA-jrc6-wgvp-2f2r",
  "modified": "2022-05-24T17:30:06Z",
  "published": "2022-05-24T17:30:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-6875"
    },
    {
      "type": "WEB",
      "url": "http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1013643"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Mitigation
Architecture and Design
  • Common protection mechanisms include:
  • Disconnecting the user after a small number of failed attempts
  • Implementing a timeout
  • Locking out a targeted account
  • Requiring a computational task on the user's part.
Mitigation MIT-4
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482].
  • Consider using libraries with authentication capabilities such as OpenSSL or the ESAPI Authenticator. [REF-45]
CAPEC-16: Dictionary-based Password Attack

An attacker tries each of the words in a dictionary as passwords to gain access to the system via some user's account. If the password chosen by the user was a word within the dictionary, this attack will be successful (in the absence of other mitigations). This is a specific instance of the password brute forcing attack pattern.

Dictionary Attacks differ from similar attacks such as Password Spraying (CAPEC-565) and Credential Stuffing (CAPEC-600), since they leverage unknown username/password combinations and don't care about inducing account lockouts.

CAPEC-49: Password Brute Forcing

An adversary tries every possible value for a password until they succeed. A brute force attack, if feasible computationally, will always be successful because it will essentially go through all possible passwords given the alphabet used (lower case letters, upper case letters, numbers, symbols, etc.) and the maximum length of the password.

CAPEC-560: Use of Known Domain Credentials

An adversary guesses or obtains (i.e. steals or purchases) legitimate credentials (e.g. userID/password) to achieve authentication and to perform authorized actions under the guise of an authenticated user or service.

CAPEC-565: Password Spraying

In a Password Spraying attack, an adversary tries a small list (e.g. 3-5) of common or expected passwords, often matching the target's complexity policy, against a known list of user accounts to gain valid credentials. The adversary tries a particular password for each user account, before moving onto the next password in the list. This approach assists the adversary in remaining undetected by avoiding rapid or frequent account lockouts. The adversary may then reattempt the process with additional passwords, once enough time has passed to prevent inducing a lockout.

CAPEC-600: Credential Stuffing

An adversary tries known username/password combinations against different systems, applications, or services to gain additional authenticated access. Credential Stuffing attacks rely upon the fact that many users leverage the same username/password combination for multiple systems, applications, and services.

CAPEC-652: Use of Known Kerberos Credentials

An adversary obtains (i.e. steals or purchases) legitimate Kerberos credentials (e.g. Kerberos service account userID/password or Kerberos Tickets) with the goal of achieving authenticated access to additional systems, applications, or services within the domain.

CAPEC-653: Use of Known Operating System Credentials

An adversary guesses or obtains (i.e. steals or purchases) legitimate operating system credentials (e.g. userID/password) to achieve authentication and to perform authorized actions on the system, under the guise of an authenticated user or service. This applies to any Operating System.