CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
AI Score
Confidence
Low
EPSS
Percentile
15.5%
Here it is observed that the CasaOS doesn’t defend against password brute force attacks, which leads to having full access to the server.
The web application lacks control over the login attempts i.e. why attacker can use a password brute force attack to find and get full access over the.
Note: We have tested this vulnerability with more than 3400 tries. We have used 271 request counts just for demo purposes.
This means attacker can try 271 requests in 56 seconds.
This vulnerability allows attackers to get super user-level access over the server.
It is recommended to implement a proper rate-limiting mechanism on the server side where the configuration might be like:
If a specific IP address fails to login more than 5 times concurrently then that IP address must be blocked for at least 30 seconds. This will reduce the possibility of password brute-forcing attacks.
Vendor | Product | Version | CPE |
---|---|---|---|
go | casaos-userservice | * | cpe:2.3:a:go:casaos-userservice:*:*:*:*:*:*:*:* |
github.com/advisories/GHSA-c69x-5xmw-v44x
github.com/IceWhaleTech/CasaOS-UserService
github.com/IceWhaleTech/CasaOS-UserService/commit/62006f61b55951048dbace4ebd9e483274838699
github.com/IceWhaleTech/CasaOS-UserService/releases/tag/v0.4.7
github.com/IceWhaleTech/CasaOS-UserService/security/advisories/GHSA-c69x-5xmw-v44x
nvd.nist.gov/vuln/detail/CVE-2024-24767
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
AI Score
Confidence
Low
EPSS
Percentile
15.5%