CVE-2024-21500

All versions of the package github.com/greenpau/caddy-security are vulnerable to Improper Restriction of Excessive Authentication Attempts via the two-factor authentication (2FA). Although the application blocks the user after several failed attempts to provide 2FA codes, attackers can bypass this blocking mechanism by automating the application’s full multistep 2FA process.

CVSS v3 4.8 MEDIUM

4.8^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy/
https://github.com/greenpau/caddy-security/issues/271
https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGREENPAUCADDYSECURITY-6249864

Configurations

No configuration.

History

20 Feb 2024, 19:50

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-02-17 05:15

Updated : 2024-02-20 19:50

NVD link : CVE-2024-21500

Mitre link : CVE-2024-21500

CVE.ORG link : CVE-2024-21500

JSON object : View

Products Affected

No product.

CWE

CWE-307

Improper Restriction of Excessive Authentication Attempts

4.8 /10