Vulnerability Description
CasaOS-UserService provides user management functionalities to CasaOS. Starting in version 0.4.4.3 and prior to version 0.4.7, CasaOS doesn't defend against password brute force attacks, which leads to having full access to the server. The web application lacks control over the login attempts. This vulnerability allows attackers to get super user-level access over the server. Version 0.4.7 contains a patch for this issue.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Icewhale | Casaos | >= 0.4.4.3, < 0.4.7 |
Related Weaknesses (CWE)
References
- https://github.com/IceWhaleTech/CasaOS-UserService/commit/62006f61b55951048dbacePatch
- https://github.com/IceWhaleTech/CasaOS-UserService/releases/tag/v0.4.7Release Notes
- https://github.com/IceWhaleTech/CasaOS-UserService/security/advisories/GHSA-c69xExploitVendor Advisory
- https://github.com/IceWhaleTech/CasaOS-UserService/commit/62006f61b55951048dbacePatch
- https://github.com/IceWhaleTech/CasaOS-UserService/releases/tag/v0.4.7Release Notes
- https://github.com/IceWhaleTech/CasaOS-UserService/security/advisories/GHSA-c69xExploitVendor Advisory
FAQ
What is CVE-2024-24767?
CVE-2024-24767 is a vulnerability with a CVSS score of 9.1 (CRITICAL). CasaOS-UserService provides user management functionalities to CasaOS. Starting in version 0.4.4.3 and prior to version 0.4.7, CasaOS doesn't defend against password brute force attacks, which leads t...
How severe is CVE-2024-24767?
CVE-2024-24767 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2024-24767?
Check the references section above for vendor advisories and patch information. Affected products include: Icewhale Casaos.