Lucene search

Veracode Vulnerability DatabaseVERACODE:43285

HistorySep 15, 2023 - 8:58 a.m.

Improper Rate Limiting

2023-09-1508:58:53

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

vulnerable

bypassable rate limiting

brute force

authentication

software

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.001 Low

EPSS

Percentile

27.5%

JSON

@strapi/admin and @strapi/plugin-users-permissions vulnerable to Improper Rate Limiting. The vulnerability is due to bypassable rate limiting logic in the admin and user authentication endpoints which could theoretically allow an attacker to brute force valid username and password combinations.

CPENameOperatorVersion
@strapi/plugin-users-permissionsle4.12.0
@strapi/adminle4.12.0
@strapi/plugin-users-permissionsle4.12.0
@strapi/adminle4.12.0

Name	Operator	Version
@strapi/plugin-users-permissions	le	4.12.0
@strapi/admin	le	4.12.0
@strapi/plugin-users-permissions	le	4.12.0
@strapi/admin	le	4.12.0

References

github.com/strapi/strapi/blob/32d68f1f5677ed9a9a505b718c182c0a3f885426/packages/core/admin/server/middlewares/rateLimit.js#L31

github.com/strapi/strapi/commit/ed364d951a1e024e2497b8597d298bd60ee1df2f

github.com/strapi/strapi/releases/tag/v4.12.1

github.com/strapi/strapi/security/advisories/GHSA-24q2-59hm-rh9r

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.001 Low

EPSS

Percentile

27.5%

JSON

Related for VERACODE:43285