目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1000

100.0%
请我们喝杯咖啡

CWE-307 过多认证尝试的限制不恰当 类漏洞列表 332

CWE-307 过多认证尝试的限制不恰当 类弱点 332 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-307 属于身份验证缺陷,指系统未有效限制短时间内过多的认证失败尝试。攻击者常利用此漏洞进行暴力破解或字典攻击,通过高频尝试猜测凭证以获取未授权访问。开发者应实施账户锁定机制、引入验证码挑战或设置动态速率限制,从而在保障用户体验的同时,显著增加自动化攻击的难度与成本,确保系统安全性。

MITRE CWE 官方描述
CWE:CWE-307 过度身份验证尝试的限制不当 英文:产品未实施足够的措施来防止在短时间内发生多次失败的身份验证尝试。
常见影响 (1)
Access ControlBypass Protection Mechanism
An attacker could perform an arbitrary number of authentication attempts using different passwords, and eventually gain access to the targeted account using a brute force attack.
缓解措施 (2)
Architecture and DesignCommon protection mechanisms include: Disconnecting the user after a small number of failed attempts Implementing a timeout Locking out a targeted account Requiring a computational task on the user's part.
Architecture and DesignUse a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. Consider using libraries with authentication capabilities such as OpenSSL or the ESAPI Authenticator. [REF-45]
代码示例 (2)
In January 2009, an attacker was able to gain administrator access to a Twitter server because the server did not restrict the number of login attempts [REF-236]. The attacker targeted a member of Twitter's support team and was able to successfully guess the member's password using a brute force attack by guessing a large number of common words. After gaining access as the member of the support st…
The following code, extracted from a servlet's doPost() method, performs an authentication lookup every time the servlet is invoked.
String username = request.getParameter("username"); String password = request.getParameter("password"); int authResult = authenticateUser(username, password);
Bad · Java
CVE ID标题CVSS风险等级Published
CVE-2024-8429 Digital Operation Services WiFiBurada 安全漏洞 — WiFiBurada 4.3 Medium2024-12-17
CVE-2024-38488 Dell RecoverPoint for Virtual Machines 安全漏洞 — RecoverPoint for Virtual Machines 6.5 Medium2024-12-13
CVE-2024-9928 Hitachi Energy NSD570 安全漏洞 — NSD570 Teleprotection Equipment 5.3 Medium2024-11-26
CVE-2024-49597 Dell Wyse Management Suite 安全漏洞 — Wyse Management Suite 7.6 High2024-11-26
CVE-2024-5716 LogSign Unified SecOps Platform 安全漏洞 — Unified SecOps Platform 9.8 -2024-11-22
CVE-2024-0787 phpIPAM 安全漏洞 — phpipam/phpipam 9.8AICriticalAI2024-11-15
CVE-2024-9832 Baxter Life2000 安全漏洞 — Life2000 Ventilation System 9.3 Critical2024-11-14
CVE-2024-51720 BlackBerry SecuSUITE 安全漏洞 — SecuSUITE 4.8 Medium2024-11-12
CVE-2024-11126 Digistar AG-30 Plus 安全漏洞 — AG-30 Plus 3.1 Low2024-11-12
CVE-2024-47592 SAP NetWeaver AS 安全漏洞 — SAP NetWeaver Application Server Java (Logon Application) 5.3 Medium2024-11-12
CVE-2024-51558 Brokerage Wave 安全漏洞 — Wave 2.0 9.8AICriticalAI2024-11-04
CVE-2024-7292 Progress Software Telerik Report Server 安全漏洞 — Telerik Report Server 7.5 High2024-10-09
CVE-2024-47656 Shilpi Client Dashboard 安全漏洞 — Client Dashboard 9.8 -2024-10-04
CVE-2024-47088 Apex Softcell LD Geo 安全漏洞 — LD Geo 9.8AICriticalAI2024-09-19
CVE-2024-5682 Yordam Library Automation System 安全漏洞 — Yordam Library Automation System 9.1AICriticalAI2024-09-18
CVE-2024-45790 Reedos aiM-Star 2.0.1 安全漏洞 — Mutual Fund Distribution Product (aiM-Star) 9.8AICriticalAI2024-09-11
CVE-2024-45327 Fortinet FortiSOAR 安全漏洞 — FortiSOAR 7.1 High2024-09-11
CVE-2024-32771 QNAP QTS和QuTS hero 安全漏洞 — QTS 2.6 Low2024-09-06
CVE-2024-8462 WindMill 安全漏洞 — Windmill 3.7 Low2024-09-05
CVE-2024-42466 upKeeper 安全漏洞 — upKeeper Manager 9.8AICriticalAI2024-08-16
CVE-2024-42465 upKeeper 安全漏洞 — upKeeper Manager 9.8AICriticalAI2024-08-16
CVE-2024-39398 Adobe Commerce 安全漏洞 — Adobe Commerce 7.4 High2024-08-14
CVE-2024-41904 Siemens SINEC Traffic Analyzer 安全漏洞 — SINEC Traffic Analyzer 7.5 High2024-08-13
CVE-2024-41682 Siemens Location Intelligence Perpetual 安全漏洞 — Location Intelligence family 5.3 Medium2024-08-13
CVE-2024-38176 Microsoft GroupMe 安全漏洞 — GroupMe 8.1 High2024-07-23
CVE-2024-39917 xrdp 安全漏洞 — xrdp 7.2 High2024-07-12
CVE-2024-39874 Siemens SINEMA Remote Connect 安全漏洞 — SINEMA Remote Connect Server 7.5 High2024-07-09
CVE-2024-39873 Siemens SINEMA Remote Connect Server 安全漏洞 — SINEMA Remote Connect Server 7.5 High2024-07-09
CVE-2024-25031 IBM Storage Defender 安全漏洞 — Storage Defender - Resiliency Service 6.5 Medium2024-06-28
CVE-2024-5862 Mia Technology MIA-MED 安全漏洞 — Mia-Med Health Aplication 7.5 High2024-06-24

CWE-307(过多认证尝试的限制不恰当) 是常见的弱点类别,本平台收录该类弱点关联的 332 条 CVE 漏洞。