Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-307 (过多认证尝试的限制不恰当) — Vulnerability Class 332

332 vulnerabilities classified as CWE-307 (过多认证尝试的限制不恰当). AI Chinese analysis included.

CWE-307 represents a critical authentication weakness where systems fail to adequately restrict the number of login attempts within a specific timeframe. This vulnerability is typically exploited by attackers conducting brute-force or credential stuffing attacks, allowing them to systematically guess valid usernames and passwords until access is granted. Without proper safeguards, automated tools can rapidly cycle through extensive password dictionaries, compromising user accounts and sensitive data. To mitigate this risk, developers must implement robust countermeasures such as account lockout policies after a defined number of failures, progressive delays between login attempts, or CAPTCHA challenges to distinguish human users from bots. Additionally, integrating multi-factor authentication provides an essential layer of defense, ensuring that even if credentials are compromised, unauthorized access remains blocked.

MITRE CWE Description
The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.
Common Consequences (1)
Access ControlBypass Protection Mechanism
An attacker could perform an arbitrary number of authentication attempts using different passwords, and eventually gain access to the targeted account using a brute force attack.
Mitigations (2)
Architecture and DesignCommon protection mechanisms include: Disconnecting the user after a small number of failed attempts Implementing a timeout Locking out a targeted account Requiring a computational task on the user's part.
Architecture and DesignUse a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. Consider using libraries with authentication capabilities such as OpenSSL or the ESAPI Authenticator. [REF-45]
Examples (2)
In January 2009, an attacker was able to gain administrator access to a Twitter server because the server did not restrict the number of login attempts [REF-236]. The attacker targeted a member of Twitter's support team and was able to successfully guess the member's password using a brute force attack by guessing a large number of common words. After gaining access as the member of the support st…
The following code, extracted from a servlet's doPost() method, performs an authentication lookup every time the servlet is invoked.
String username = request.getParameter("username"); String password = request.getParameter("password"); int authResult = authenticateUser(username, password);
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2021-32522 QSAN Storage Manager, XEVO, SANOS - Improper Restriction of Excessive Authentication Attempts — Storage Manager 9.8 Critical2021-07-07
CVE-2021-22915 Nextcloud server 处理逻辑错误漏洞 — Nextcloud Server 9.8 -2021-06-11
CVE-2021-33190 Bypass network access control — Apache APISIX Dashboard 5.3 -2021-06-08
CVE-2021-3412 3Scale 安全漏洞 — 3Scale 8.6 -2021-06-01
CVE-2021-22737 Schneider Electric homeLYnk和spaceLYnk 安全漏洞 — homeLYnk (Wiser For KNX) and spaceLYnk V2.60 and prior 9.8 -2021-05-26
CVE-2019-18235 None Advantech Spectre RT ERT351 firmware 安全漏洞 — Advantech Spectre RT ERT351 Versions 5.1.3 and prior 9.8 -2021-03-17
CVE-2021-25676 Siemens RUGGEDCOM 安全漏洞 — RUGGEDCOM RM1224 7.5 -2021-03-15
CVE-2021-1311 Cisco Webex Meetings and Cisco Webex Meetings Server Host Key Brute Forcing Vulnerability — Cisco WebEx Meetings Server 5.4 Medium2021-01-13
CVE-2020-25196 MOXA NPort IAW5000A-I/O Series — NPort IAW5000A-I/O 9.8 Critical2020-12-23
CVE-2020-28212 Schneider Electric EcoStruxure Control Expert 授权问题漏洞 — PLC Simulator on EcoStruxureª Control Expert (now Unity Pro) (all versions) 9.8 -2020-11-19
CVE-2020-15786 Siemens SIMATIC HMI/WinCC 安全漏洞 — SIMATIC HMI Basic Panels 2nd Generation (incl. SIPLUS variants) 9.1 -2020-09-09
CVE-2020-7525 Schneider 安全漏洞 — All hardware versions of spaceLYnk and Wiser for KNX (formerly homeLYnk) 7.5 -2020-08-31
CVE-2020-8202 Nextcloud Preferred Providers app 安全漏洞 — Nextcloud Preferred Providers 5.3 -2020-07-30
CVE-2020-14484 OpenClinic GA 安全漏洞 — OpenClinic GA 9.8 -2020-07-20
CVE-2020-10285 RVD#3322: Weak authentication implementation make the system vulnerable to a brute-force attack over adjacent networks — xArm5 Lite, xArm 6 and xArm 7 9.8 -2020-07-15
CVE-2020-7508 Schneider Electric Easergy T300 安全漏洞 — Easergy T300 (Firmware version 1.5.2 and older) 9.8 -2020-06-16
CVE-2020-11052 Improper Restriction of Excessive Authentication Attempts in Sorcery — Sorcery 8.3 High2020-05-07
CVE-2019-18261 Omron PLC CS series、CJ series和NJ series 安全漏洞 — Omron PLC CJ, CS and NJ Series 9.8 -2019-12-16
CVE-2019-3766 Dell EMC Elastic Cloud Storage 安全漏洞 — Elastic Cloud Storage 9.8 -2019-09-27
CVE-2019-3746 Dell EMC Integrated Data Protection Appliance 安全漏洞 — Integrated Data Protection Appliance 8.8 -2019-09-27
CVE-2019-13918 Siemens SINEMA Remote Connect Server 安全漏洞 — SINEMA Remote Connect Server 9.8 -2019-09-13
CVE-2019-5035 Google Nest Cam IQ Indoor 加密问题漏洞 — Nest Labs 10.0 -2019-08-20
CVE-2019-0039 Junos OS: Login credentials are vulnerable to brute force attacks through the REST API — Junos OS 8.1 -2019-04-10
CVE-2019-6524 多款Moxa产品授权问题漏洞 — Moxa IKS, EDS 9.8 -2019-03-05
CVE-2018-19021 Emerson DeltaV Distributed Control System 权限许可和访问控制漏洞 — Emerson DeltaV 6.5 -2019-01-25
CVE-2018-14657 Red Hat Keycloak 安全特征问题漏洞 — keycloak 9.4 -2018-11-13
CVE-2018-5469 多款Belden产品安全漏洞 — Hirschmann Automation and Control GmbH Classic Platform Switches 9.8 -2018-03-06
CVE-2017-15887 Synology CardDAV Server 信任管理漏洞 — Synology CardDAV Server 9.8 -2017-11-07
CVE-2017-7898 多款Rockwell Automation产品安全漏洞 — Rockwell Automation Allen-Bradley MicroLogix 1100 and 1400 9.8 -2017-06-30
CVE-2017-7915 多款摩莎产品安全漏洞 — Moxa OnCell 9.8 -2017-05-29

Vulnerabilities classified as CWE-307 (过多认证尝试的限制不恰当) represent 332 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.