Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-307 (过多认证尝试的限制不恰当) — Vulnerability Class 332

332 vulnerabilities classified as CWE-307 (过多认证尝试的限制不恰当). AI Chinese analysis included.

CWE-307 represents a critical authentication weakness where systems fail to adequately restrict the number of login attempts within a specific timeframe. This vulnerability is typically exploited by attackers conducting brute-force or credential stuffing attacks, allowing them to systematically guess valid usernames and passwords until access is granted. Without proper safeguards, automated tools can rapidly cycle through extensive password dictionaries, compromising user accounts and sensitive data. To mitigate this risk, developers must implement robust countermeasures such as account lockout policies after a defined number of failures, progressive delays between login attempts, or CAPTCHA challenges to distinguish human users from bots. Additionally, integrating multi-factor authentication provides an essential layer of defense, ensuring that even if credentials are compromised, unauthorized access remains blocked.

MITRE CWE Description
The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.
Common Consequences (1)
Access ControlBypass Protection Mechanism
An attacker could perform an arbitrary number of authentication attempts using different passwords, and eventually gain access to the targeted account using a brute force attack.
Mitigations (2)
Architecture and DesignCommon protection mechanisms include: Disconnecting the user after a small number of failed attempts Implementing a timeout Locking out a targeted account Requiring a computational task on the user's part.
Architecture and DesignUse a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. Consider using libraries with authentication capabilities such as OpenSSL or the ESAPI Authenticator. [REF-45]
Examples (2)
In January 2009, an attacker was able to gain administrator access to a Twitter server because the server did not restrict the number of login attempts [REF-236]. The attacker targeted a member of Twitter's support team and was able to successfully guess the member's password using a brute force attack by guessing a large number of common words. After gaining access as the member of the support st…
The following code, extracted from a servlet's doPost() method, performs an authentication lookup every time the servlet is invoked.
String username = request.getParameter("username"); String password = request.getParameter("password"); int authResult = authenticateUser(username, password);
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2022-32515 Schneider Electric Conext ComBox 安全漏洞 — Conext™ ComBox 8.6 High2023-01-30
CVE-2022-4797 Improper Restriction of Excessive Authentication Attempts in usememos/memos — usememos/memos 7.5 -2022-12-28
CVE-2022-23746 Check Point IPSec VPN 安全漏洞 — Gateway & Management, IPsec VPN blade SNX portal. 9.8 -2022-11-30
CVE-2022-2650 Improper Restriction of Excessive Authentication Attempts in wger-project/wger — wger-project/wger 9.8 -2022-11-24
CVE-2022-2166 Improper Restriction of Excessive Authentication Attempts in mastodon/mastodon — mastodon/mastodon 9.4 -2022-11-16
CVE-2022-3993 Improper Restriction of Excessive Authentication Attempts in kareadita/kavita — kareadita/kavita 9.4 Critical2022-11-14
CVE-2022-3945 Improper Restriction of Excessive Authentication Attempts in kareadita/kavita — kareadita/kavita 7.5 -2022-11-11
CVE-2022-3741 Improper Restriction of Excessive Authentication Attempts in chatwoot/chatwoot — chatwoot/chatwoot 9.1 -2022-10-28
CVE-2022-39314 User enumeration in the code-based login and password reset forms — kirby 5.3 -2022-10-24
CVE-2022-31228 Dell EMC XtremIO 安全漏洞 — XtremIO 8.1 High2022-10-12
CVE-2022-2822 Authentication Bypass by Primary Weakness in octoprint/octoprint — octoprint/octoprint 9.1 -2022-08-15
CVE-2022-2457 Business-central 安全漏洞 — Red Hat Process Automation Manager 7 9.1 -2022-08-09
CVE-2022-31234 Dell EMC PowerStore 安全漏洞 — PowerStore 8.1 High2022-07-20
CVE-2022-2321 Improper Restriction of Excessive Authentication Attempts in heroiclabs/nakama — heroiclabs/nakama 9.8 -2022-07-05
CVE-2022-30235 Schneider Electric PowerLogic ION Setup 安全漏洞 — Wiser Smart 8.6 High2022-06-02
CVE-2022-29084 多款Dell产品安全漏洞 — Unity 8.1 High2022-06-02
CVE-2022-24044 多款Siemens产品安全漏洞 — Desigo DXR2 7.5 -2022-05-10
CVE-2022-26519 Interlogix Hills ComNav Improper Restriction of Excessive Authentication Attempts — Hills ComNav 5.5 Medium2022-04-20
CVE-2022-22561 Dell Technologies Dell PowerScale OneFS 安全漏洞 — PowerScale OneFS 8.1 High2022-04-12
CVE-2022-25820 Samsung fingerprint matching algorithm 安全漏洞 — Samsung Mobile Devices 4.2 Medium2022-03-08
CVE-2022-26314 Siemens Mendix 安全漏洞 — Mendix Forgot Password Appstore module 9.8 -2022-03-08
CVE-2022-22810 Schneider Electric 多款产品安全漏洞 — spaceLYnk (V2.6.2 and prior), Wiser for KNX (formerly homeLYnk) (V2.6.2 and prior), fellerLYnk (V2.6.2 and prior) 9.8 -2022-02-09
CVE-2022-22553 DELL EMC AppSync 安全漏洞 — AppSync 8.1 High2022-01-21
CVE-2021-41807 Lack of rate limiting in M-Files Server and M-Files Web products with versions before 21.12.10873.0, allows brute-forcing of certain type of user accounts. — M-Files Server 7.5 High2022-01-18
CVE-2021-42544 Lack of Rate limiting in Authentication in TopEase — TopEase 7.5 High2021-11-30
CVE-2021-41171 Bypass bruteforce protection on login form in elabftw — elabftw 5.9 Medium2021-10-22
CVE-2021-38474 InHand Networks IR615 Router — IR615 Router 6.3 Medium2021-10-19
CVE-2021-36285 Dell BIOS 安全漏洞 — CPG BIOS 5.7 Medium2021-09-28
CVE-2021-36284 Dell BIOS 安全漏洞 — CPG BIOS 5.7 Medium2021-09-28
CVE-2021-3663 Improper Restriction of Excessive Authentication Attempts in firefly-iii/firefly-iii — firefly-iii/firefly-iii 7.5 -2021-07-25

Vulnerabilities classified as CWE-307 (过多认证尝试的限制不恰当) represent 332 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.