CVE-2024-24767

2024-03-0618:15:46

CWE-307

GitHub_M

web.nvd.nist.gov

casaos

userservice

password brute force

server access

vulnerability

patch

nvd

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

AI Score

9.1

Confidence

High

EPSS

Percentile

15.5%

JSON

CasaOS-UserService provides user management functionalities to CasaOS. Starting in version 0.4.4.3 and prior to version 0.4.7, CasaOS doesn’t defend against password brute force attacks, which leads to having full access to the server. The web application lacks control over the login attempts. This vulnerability allows attackers to get super user-level access over the server. Version 0.4.7 contains a patch for this issue.

Affected configurations

Vulners

Vulnrichment

Node

icewhaletechcasaos_userserviceRange0.4.4.3–0.4.7

VendorProductVersionCPE
icewhaletechcasaos_userservice*cpe:2.3:a:icewhaletech:casaos_userservice:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
icewhaletech	casaos_userservice	*	cpe:2.3:a:icewhaletech:casaos_userservice::::::::

CNA Affected

[
  {
    "vendor": "IceWhaleTech",
    "product": "CasaOS-UserService",
    "versions": [
      {
        "version": ">= 0.4.4.3, < 0.4.7",
        "status": "affected"
      }
    ]
  }
]