logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2024-24767 github.com/icewhaletech/casaos-userservice

Package

Manager: go
Name: github.com/icewhaletech/casaos-userservice
Vulnerable Version: >=0.4.4.3 <0.4.7

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: 0.00726 pctl0.71739

Details

CasaOS Improper Restriction of Excessive Authentication Attempts vulnerability ### Summary Here it is observed that the CasaOS doesn't defend against password brute force attacks, which leads to having full access to the server. ### Details The web application lacks control over the login attempts i.e. why attacker can use a password brute force attack to find and get full access over the. ### PoC 1. Capture login request in proxy tool like Burp Suite and select password field. ![1](https://user-images.githubusercontent.com/63414468/297156515-0272bfd7-f386-4c22-b3bd-c4dbdc1298bf.PNG) 2. Here I have started attack with total number of 271 password tries where the last one is the correct password and as we can see in the following image we get a **400 Bad Request** status code with the message "**Invalid Password**" and response length **769** on 1st request which was sent at **_Tue, 16 Jan 2024 18:31:32 GMT_** ![2](https://user-images.githubusercontent.com/63414468/297157815-c158995b-7d46-4a5a-aef9-bcbbcf596b15.png) **Note**: _We have tested this vulnerability with more than 3400 tries. We have used 271 request counts just for demo purposes._ 3. Here the attack is completed and we can see in the following image we get **200 OK** status code with the message "**Ok**" and response length **1509** on 271st request which was sent at **_Tue, 16 Jan 2024 18:32:01 GMT_**. ![3](https://user-images.githubusercontent.com/63414468/297159282-3f4788b5-6217-4f32-8be6-40ac117710e3.png) This means attacker can try 271 requests in 56 seconds. ### Impact This vulnerability allows attackers to get super user-level access over the server. ### Mitigation It is recommended to implement a proper rate-limiting mechanism on the server side where the configuration might be like: If a specific IP address fails to login more than 5 times concurrently then that IP address must be blocked for at least 30 seconds. This will reduce the possibility of password brute-forcing attacks.

Metadata

Created: 2024-03-06T15:25:08Z
Modified: 2025-04-10T23:07:21Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-c69x-5xmw-v44x/GHSA-c69x-5xmw-v44x.json
CWE IDs: ["CWE-307"]
Alternative ID: GHSA-c69x-5xmw-v44x
Finding: F053
Auto approve: 1