9.8
CVE-2022-35925
- EPSS 1.36%
- Veröffentlicht 02.08.2022 21:15:08
- Zuletzt bearbeitet 21.11.2024 07:11:58
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginMissing rate limit in Authentication in bookwyrm
BookWyrm is a social network for tracking reading. Versions prior to 0.4.5 were found to lack rate limiting on authentication views which allows brute-force attacks. This issue has been patched in version 0.4.5. Admins with existing instances will need to update their `nginx.conf` file that was created when the instance was set up. Users are advised advised to upgrade. Users unable to upgrade may update their nginx.conf files with the changes manually.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Joinbookwyrm ≫ Bookwyrm Version < 0.4.5
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 1.36% | 0.68 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| security-advisories@github.com | 5.3 | 3.9 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
|
CWE-287 Improper Authentication
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
CWE-307 Improper Restriction of Excessive Authentication Attempts
The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.
https://github.com/bookwyrm-social/bookwyrm/security/advisories/GHSA-jvp3-mqv8-5rjw
https://huntr.dev/bounties/ebee593d-3fd0-4985-bf5e-7e7927e08bf6/
https://www.github.com/bookwyrm-social/bookwyrm/commit/7bbe42fb30a79a26115524d18b697d895563c92f