CVE-2020-11052 – sorcery

Package

Manager: gem
Name: sorcery
Vulnerable Version: >=0 <0.15.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L

EPSS: 0.00532 pctl0.66369

Details

Improper Restriction of Excessive Authentication Attempts in Sorcery ### Impact Brute force vulnerability when using password authentication via Sorcery. The brute force protection submodule will prevent a brute force attack for the defined lockout period, but once expired protection will not be re-enabled until a user or malicious actor logs in successfully. This does not affect users that do not use the built-in brute force protection submodule, nor users that use permanent account lockout. ### Patches Patched as of version `0.15.0`. ### Workarounds Currently no workarounds, other than monkey patching the authenticate method provided by Sorcery or upgrading to version `0.15.0`.

Metadata

Created: 2020-05-07T21:16:46Z
Modified: 2023-05-16T16:16:57Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-jc8m-cxhj-668x/GHSA-jc8m-cxhj-668x.json
CWE IDs: ["CWE-307"]
Alternative ID: GHSA-jc8m-cxhj-668x
Finding: F053
Auto approve: 1