CVE-2024-21500

All versions of the package github.com/greenpau/caddy-security are vulnerable to Improper Restriction of Excessive Authentication Attempts via the two-factor authentication (2FA). Although the application blocks the user after several failed attempts to provide 2FA codes, attackers can bypass this blocking mechanism by automating the application’s full multistep 2FA process.

CVSS v3 4.8 MEDIUM

4.8^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy/
https://github.com/greenpau/caddy-security/issues/271
https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGREENPAUCADDYSECURITY-6249864

Configurations

No configuration.

History

20 Feb 2024, 19:50

Type	Values Removed	Values Added
Summary		(es) Todas las versiones del paquete github.com/greenpau/caddy-security son vulnerables a una restricción inadecuada de intentos de autenticación excesivos a través de la autenticación de dos factores (2FA). Aunque la aplicación bloquea al usuario después de varios intentos fallidos de proporcionar códigos 2FA, los atacantes pueden evitar este mecanismo de bloqueo automatizando todo el proceso 2FA de varios pasos de la aplicación.

17 Feb 2024, 05:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-02-17 05:15

Updated : 2024-02-20 19:50

NVD link : CVE-2024-21500

Mitre link : CVE-2024-21500

CVE.ORG link : CVE-2024-21500

JSON object : View

Products Affected

No product.

CWE

CWE-307

Improper Restriction of Excessive Authentication Attempts

4.8 /10