2014-10-09 Flaw Discovered 2014-10-20 Vendor contacted 2014-10-21 Vendor response 2014-12-08 Vendor fix proposal 2014-12-08 Extension of embargo to 19.4.2015 2015-05-04 Extension of embargo until release of version 5.0 2015-05-18 Release of version 5.0 and public disclosure
The CollabNet Subversion Edge Management Frontend does not protect against brute forcing accounts. An attacker has infinite tries to guess a valid user password.
Implement user specific time penalities or lock outs after a certain amount of failed logins and provide configuration options for that feature.
Invalid logins now cause an exponential increase in response time. The rate of increase and maximum is configurable with the default settings of 1 minute wait time after 15 invalid logins in 5 minutes.