Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-307 (过多认证尝试的限制不恰当) — Vulnerability Class 332

332 vulnerabilities classified as CWE-307 (过多认证尝试的限制不恰当). AI Chinese analysis included.

CWE-307 represents a critical authentication weakness where systems fail to adequately restrict the number of login attempts within a specific timeframe. This vulnerability is typically exploited by attackers conducting brute-force or credential stuffing attacks, allowing them to systematically guess valid usernames and passwords until access is granted. Without proper safeguards, automated tools can rapidly cycle through extensive password dictionaries, compromising user accounts and sensitive data. To mitigate this risk, developers must implement robust countermeasures such as account lockout policies after a defined number of failures, progressive delays between login attempts, or CAPTCHA challenges to distinguish human users from bots. Additionally, integrating multi-factor authentication provides an essential layer of defense, ensuring that even if credentials are compromised, unauthorized access remains blocked.

MITRE CWE Description
The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.
Common Consequences (1)
Access ControlBypass Protection Mechanism
An attacker could perform an arbitrary number of authentication attempts using different passwords, and eventually gain access to the targeted account using a brute force attack.
Mitigations (2)
Architecture and DesignCommon protection mechanisms include: Disconnecting the user after a small number of failed attempts Implementing a timeout Locking out a targeted account Requiring a computational task on the user's part.
Architecture and DesignUse a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. Consider using libraries with authentication capabilities such as OpenSSL or the ESAPI Authenticator. [REF-45]
Examples (2)
In January 2009, an attacker was able to gain administrator access to a Twitter server because the server did not restrict the number of login attempts [REF-236]. The attacker targeted a member of Twitter's support team and was able to successfully guess the member's password using a brute force attack by guessing a large number of common words. After gaining access as the member of the support st…
The following code, extracted from a servlet's doPost() method, performs an authentication lookup every time the servlet is invoked.
String username = request.getParameter("username"); String password = request.getParameter("password"); int authResult = authenticateUser(username, password);
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2024-28022 Hitachi FOXMAN-UN 安全漏洞 — FOXMAN-UN 6.5 Medium2024-06-11
CVE-2024-35747 WordPress Contact Form Builder, Contact Widget plugin <= 2.1.7 - Bypass Vulnerability vulnerability — Contact Form Builder, Contact Widget 5.3 Medium2024-06-10
CVE-2024-28833 Missing brute-force protection for two factor authentication — Checkmk 5.9 Medium2024-06-10
CVE-2024-3102 JSON Injection in mintplex-labs/anything-llm — mintplex-labs/anything-llm 7.5AIHighAI2024-06-06
CVE-2023-48745 WordPress Captcha Code plugin <= 2.9 - Captcha Bypass vulnerability — Captcha Code 5.3 Medium2024-06-04
CVE-2023-48318 WordPress Contact Form Email plugin <= 1.3.41 - Captcha Bypass vulnerability — Contact Form Email 5.3 Medium2024-06-04
CVE-2023-48290 WordPress Form Maker by 10Web plugin <= 1.15.20 - Captcha Bypass Vulnerability vulnerability — Form Maker by 10Web 5.3 Medium2024-06-04
CVE-2023-48276 WordPress WP Forms Puzzle Captcha plugin <= 4.1 - Captcha Bypass vulnerability — WP Forms Puzzle Captcha 5.3 Medium2024-06-04
CVE-2023-45009 WordPress Captcha for Contact Form 7 plugin <= 1.11.3 - Capcha Bypass vulnerability — Captcha/Honeypot for Contact Form 7 5.3 Medium2024-06-04
CVE-2023-44235 WordPress WP Captcha plugin <= 2.0.0 - Captcha Bypass vulnerability — WP Captcha 5.3 Medium2024-06-04
CVE-2023-34001 WordPress Hide My WP Ghost – Security Plugin plugin <= 5.0.25 - Captcha Bypass vulnerability — Hide My WP Ghost 5.3 Medium2024-06-04
CVE-2023-23730 WordPress Spectra – WordPress Gutenberg Blocks plugin <= 2.3.0 - Captcha Bypass Vulnerability — Spectra 5.3 Medium2024-06-03
CVE-2024-32774 WordPress ProfileGrid plugin <= 5.8.2 - Group Members Limit Bypass vulnerability — ProfileGrid 4.3 Medium2024-05-17
CVE-2024-32720 WordPress Appointment Hour Booking plugin <= 1.4.56 - Captcha Bypass vulnerability — Appointment Hour Booking 5.3 Medium2024-05-17
CVE-2024-3461 KioWare 安全漏洞 — Kioware 6.2 Medium2024-05-09
CVE-2024-32868 ZITADEL's Improper Lockout Mechanism Leads to MFA Bypass — zitadel 6.5 Medium2024-04-25
CVE-2024-32676 WordPress LoginPress Pro plugin < 3.0.0 - Captcha Bypass vulnerability — LoginPress Pro 5.3 Medium2024-04-25
CVE-2024-28825 Brute-force protection ineffective for some login methods — Checkmk 5.9 Medium2024-04-24
CVE-2024-30390 Junos OS Evolved: Connection limits is not being enforced while the resp. rate limit is being enforced — Junos OS Evolved 5.3 Medium2024-04-12
CVE-2024-3202 codelyfe Stupid Simple CMS Login Page excessive authentication — Stupid Simple CMS 3.7 Low2024-04-02
CVE-2024-21662 Argo CD vulnerable to Bypassing of Rate Limit and Brute Force Protection Using Cache Overflow — argo-cd 7.5 High2024-03-18
CVE-2024-21652 Argo CD vulnerable to Bypassing of Brute Force Protection via Application Crash and In-Memory Data Loss — argo-cd 9.8 Critical2024-03-18
CVE-2024-2051 Schneider Electric Easergy T200 安全漏洞 — Easergy T200 (Modbus) Models: T200I, T200E, T200P, T200S, T200H 9.8 Critical2024-03-18
CVE-2024-24767 CasaOS Improper Restriction of Excessive Authentication Attempts vulnerability — CasaOS-UserService 9.1 Critical2024-03-06
CVE-2024-1104 Temporary denial of service during a brute force attack — Webserv2 7.5 High2024-02-22
CVE-2024-21500 Caddy 安全漏洞 — github.com/greenpau/caddy-security 4.8 Medium2024-02-17
CVE-2024-22425 Dell RecoverPoint for Virtual Machines 安全漏洞 — RecoverPoint for VMs 6.5 Medium2024-02-16
CVE-2023-45191 IBM Engineering Lifecycle Optimization information disclosure — Engineering Lifecycle Optimization - Publishing 7.5 High2024-02-09
CVE-2023-38273 IBM Cloud Pak System information disclosure — Cloud Pak System 7.5 High2024-02-02
CVE-2023-50326 IBM PowerSC information Disclosure — PowerSC 7.5 High2024-02-02

Vulnerabilities classified as CWE-307 (过多认证尝试的限制不恰当) represent 332 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.