Lucene search

GitHub Advisory DatabaseGHSA-VFPH-HJFV-CPV2

HistoryFeb 17, 2024 - 6:30 a.m.

Improper Restriction of Excessive Authentication Attempts in github.com/greenpau/caddy-security

2024-02-1706:30:35

CWE-307

GitHub Advisory Database

github.com

improper restriction

excessive authentication attempts

2fa

vulnerability

github.com/greenpau/caddy-security

automation

4.8 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

7.1 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.7%

JSON

All versions of the package github.com/greenpau/caddy-security are vulnerable to Improper Restriction of Excessive Authentication Attempts via the two-factor authentication (2FA). Although the application blocks the user after several failed attempts to provide 2FA codes, attackers can bypass this blocking mechanism by automating the application’s full multistep 2FA process.

Affected configurations

Vulners

Node

github.com\/greenpau\/caddysecurityRange≤1.1.23

CPENameOperatorVersion
github.com/greenpau/caddy-securityle1.1.23

CPE	Name	Operator	Version
	github.com/greenpau/caddy-security	le	1.1.23

References

blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy

github.com/advisories/GHSA-vfph-hjfv-cpv2

github.com/greenpau/caddy-security/issues/271

nvd.nist.gov/vuln/detail/CVE-2024-21500

security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGREENPAUCADDYSECURITY-6249864

4.8 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

7.1 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.7%

JSON

Related for GHSA-VFPH-HJFV-CPV2