Vulnerability Description
All versions of the package github.com/greenpau/caddy-security are vulnerable to Improper Restriction of Excessive Authentication Attempts via the two-factor authentication (2FA). Although the application blocks the user after several failed attempts to provide 2FA codes, attackers can bypass this blocking mechanism by automating the application’s full multistep 2FA process.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Authcrunch | Caddy-Security | All versions |
Related Weaknesses (CWE)
References
- https://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddExploitThird Party Advisory
- https://github.com/greenpau/caddy-security/issues/271Issue Tracking
- https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGREENPAUCADDYSECURITY-6249864Third Party Advisory
- https://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddExploitThird Party Advisory
- https://github.com/greenpau/caddy-security/issues/271Issue Tracking
- https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGREENPAUCADDYSECURITY-6249864Third Party Advisory
FAQ
What is CVE-2024-21500?
CVE-2024-21500 is a vulnerability with a CVSS score of 4.8 (MEDIUM). All versions of the package github.com/greenpau/caddy-security are vulnerable to Improper Restriction of Excessive Authentication Attempts via the two-factor authentication (2FA). Although the applica...
How severe is CVE-2024-21500?
CVE-2024-21500 has been rated MEDIUM with a CVSS base score of 4.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-21500?
Check the references section above for vendor advisories and patch information. Affected products include: Authcrunch Caddy-Security.