9.8

CVE-2024-24767

Exploit

EPSS 0.73%
Veröffentlicht 06.03.2024 18:15:46
Zuletzt bearbeitet 10.04.2025 20:31:56
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

CasaOS-UserService provides user management functionalities to CasaOS. Starting in version 0.4.4.3 and prior to version 0.4.7, CasaOS doesn't defend against password brute force attacks, which leads to having full access to the server. The web application lacks control over the login attempts. This vulnerability allows attackers to get super user-level access over the server. Version 0.4.7 contains a patch for this issue.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Icewhale ≫ Casaos Version >= 0.4.4.3 < 0.4.7

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.73%	0.718

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	9.1	3.9	5.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE-307 Improper Restriction of Excessive Authentication Attempts

The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.

https://github.com/IceWhaleTech/CasaOS-UserService/releases/tag/v0.4.7

Release Notes

https://github.com/IceWhaleTech/CasaOS-UserService/commit/62006f61b55951048dbace4ebd9e483274838699

Patch

https://github.com/IceWhaleTech/CasaOS-UserService/security/advisories/GHSA-c69x-5xmw-v44x

Vendor Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2024-24767

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-24767

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-24767

EUVD