In Sorcery before 0.15.0, there is a brute force vulnerability when using password authentication via Sorcery. The brute force protection…
GitHub_M·CWE-307·Published 2020-05-07
In Sorcery before 0.15.0, there is a brute force vulnerability when using password authentication via Sorcery. The brute force protection submodule will prevent a brute force attack for the defined lockout period, but once expired, protection will not be re-enabled until a user or malicious actor logs in successfully. This does not affect users that do not use the built-in brute force protection submodule, nor users that use permanent account lockout. This has been patched in 0.15.0.
In Sorcery before 0.15.0, there is a brute force vulnerability when using password authentication via Sorcery. The brute force protection submodule will prevent a brute force attack for the defined lockout period, but once expired, protection will not be re-enabled until a user or malicious actor logs in successfully. This does not affect users that do not use the built-in brute force protection submodule, nor users that use permanent account lockout. This has been patched in 0.15.0.
### Impact Brute force vulnerability when using password authentication via Sorcery. The brute force protection submodule will prevent a brute force attack for the defined lockout period, but once expired protection will not be re-enabled until a user or malicious actor logs in successfully. This does not affect users that do not use the built-in brute force protection submodule, nor users that use permanent account lockout. ### Patches Patched as of version `0.15.0`. ### Workarounds Currently no workarounds, other than monkey patching the authenticate method provided by Sorcery or upgrading to version `0.15.0`.
### Impact Brute force vulnerability when using password authentication via Sorcery. The brute force protection submodule will prevent a brute force attack for the defined lockout period, but once expired protection will not be re-enabled until a user or malicious actor logs in successfully. This does not affect users that do not use the built-in brute force protection submodule, nor users that use permanent account lockout. ### Patches Patched as of version `0.15.0`. ### Workarounds Currently no workarounds, other than monkey patching the authenticate method provided by Sorcery or upgrading to version `0.15.0`.
En Sorcery versiones anteriores a 0.15.0, se presenta una vulnerabilidad de fuerza bruta cuando se utiliza la autenticación de contraseña por medio de Sorcery. El submódulo de protección de fuerza bruta impedirá un ataque de fuerza bruta durante el período de bloqueo definido, pero una vez que expire, la protección no se volverá a habilitar hasta que un usuario o actor malicioso inicie sesión con éxito. Esto no afecta a los usuarios que no usan el submódulo de protección de fuerza bruta incorporado, ni a los usuarios que utilizan el bloqueo permanente de la cuenta. Esto ha sido parcheado en la versión 0.15.0.
| Version | Type | Source | Base | Exp | Impact | Vector |
|---|---|---|---|---|---|---|
| 2.0 | Primary | NVD | 5.0 | 10.0 | 2.9 | AV:N/AC:L/Au:N/C:P/I:N/A:N |
| 3.1 | Primary | NVD | 9.8 | 3.9 | 5.9 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | Primary | cve.org | 8.3 | — | — | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L |
| 3.1 | Primary | cve.org | 8.3 | — | — | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L |
| 3.1 | Secondary | GHSA | 8.3 | — | — | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L |
| 3.1 | Secondary | NVD | 8.3 | 3.9 | 3.7 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L |