Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-307 (过多认证尝试的限制不恰当) — Vulnerability Class 332

332 vulnerabilities classified as CWE-307 (过多认证尝试的限制不恰当). AI Chinese analysis included.

CWE-307 represents a critical authentication weakness where systems fail to adequately restrict the number of login attempts within a specific timeframe. This vulnerability is typically exploited by attackers conducting brute-force or credential stuffing attacks, allowing them to systematically guess valid usernames and passwords until access is granted. Without proper safeguards, automated tools can rapidly cycle through extensive password dictionaries, compromising user accounts and sensitive data. To mitigate this risk, developers must implement robust countermeasures such as account lockout policies after a defined number of failures, progressive delays between login attempts, or CAPTCHA challenges to distinguish human users from bots. Additionally, integrating multi-factor authentication provides an essential layer of defense, ensuring that even if credentials are compromised, unauthorized access remains blocked.

MITRE CWE Description
The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.
Common Consequences (1)
Access ControlBypass Protection Mechanism
An attacker could perform an arbitrary number of authentication attempts using different passwords, and eventually gain access to the targeted account using a brute force attack.
Mitigations (2)
Architecture and DesignCommon protection mechanisms include: Disconnecting the user after a small number of failed attempts Implementing a timeout Locking out a targeted account Requiring a computational task on the user's part.
Architecture and DesignUse a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. Consider using libraries with authentication capabilities such as OpenSSL or the ESAPI Authenticator. [REF-45]
Examples (2)
In January 2009, an attacker was able to gain administrator access to a Twitter server because the server did not restrict the number of login attempts [REF-236]. The attacker targeted a member of Twitter's support team and was able to successfully guess the member's password using a brute force attack by guessing a large number of common words. After gaining access as the member of the support st…
The following code, extracted from a servlet's doPost() method, performs an authentication lookup every time the servlet is invoked.
String username = request.getParameter("username"); String password = request.getParameter("password"); int authResult = authenticateUser(username, password);
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2022-45790 Omron FINS memory protection susceptible to bruteforce — CJ-series and CS-series CPU modules 8.6 High2024-01-22
CVE-2024-22317 IBM App Connect Enterprise denial of service — App Connect Enterprise 9.1 Critical2024-01-18
CVE-2023-49810 WWBN AVideo 安全漏洞 — AVideo 7.3 High2024-01-10
CVE-2023-49792 Bruteforce protection can be bypassed with misconfigured proxy — security-advisories 5.3 Medium2023-12-22
CVE-2023-6912 Brute force vulnerability in M-Files user authentication — M-Files Server 7.5 High2023-12-20
CVE-2023-6928 Improper Restriction of Excessive Authentication Attempts — ETL3100 9.8 Critical2023-12-19
CVE-2023-6756 Thecosy IceCMS Captcha login excessive authentication — IceCMS 5.3 Medium2023-12-13
CVE-2023-35039 WordPress Password Reset with Code for WordPress REST API Plugin <= 0.0.15 is vulnerable to Broken Authentication — Password Reset with Code for WordPress REST API 9.8 Critical2023-12-07
CVE-2023-46745 Rate limiting Bypass on login page in libreNMS — librenms 5.3 Medium2023-11-17
CVE-2023-45582 Fortinet FortiMail 安全漏洞 — FortiMail 5.3 Medium2023-11-14
CVE-2023-42480 Information Disclosure in NetWeaver AS Java Logon — NetWeaver AS Java 5.3 Medium2023-11-14
CVE-2023-41270 Samsung Smart TV UE40D7000 WPS DoS attack — UE40D7000 3.5 Low2023-11-08
CVE-2023-4625 Denial-of-Service(DoS) Vulnerability in Web server function on MELSEC Series CPU module — MELSEC iQ-F Series FX5U-32MT/ES 5.3 Medium2023-11-06
CVE-2023-41350 Chunghwa Telecom NOKIA G-040W-Q - Excessive Authentication Attempts — NOKIA G-040W-Q 7.5 High2023-11-03
CVE-2023-5754 Improper Restriction of Excessive Authentication Attempts in Sielco PolyEco1000 — PolyEco1000 9.1 Critical2023-10-26
CVE-2023-46123 jumpserver is vulnerable to password brute-force protection bypass via arbitrary IP values — jumpserver 5.3 Medium2023-10-25
CVE-2023-45149 Password of talk conversations can be bruteforced in Nextcloud — security-advisories 4.3 Medium2023-10-16
CVE-2023-45148 Rate limiter not working reliable when Memcached is installed in Nextcloud — security-advisories 4.3 Medium2023-10-16
CVE-2023-39960 Nextcloud Server has improper restriction of excessive authentication attempts on WebDAV endpoint — security-advisories 5.0 Medium2023-10-13
CVE-2023-36434 Windows IIS Server Elevation of Privilege Vulnerability — Windows 10 Version 22H2 9.8 Critical2023-10-10
CVE-2023-43699 SICK APU RDT400 安全漏洞 — APU0200 7.5 High2023-10-09
CVE-2023-26271 IBM Security Guardium Data Encryption information disclosure — Guardium Cloud Key Manager 5.3 Medium2023-08-28
CVE-2022-43904 IBM Security Guardium information disclosure — Security Guardium 7.5 High2023-08-27
CVE-2023-40706 Improper Restriction of Excessive Authentication Attempts in OPTO 22 SNAP PAC S1 Built-in Web Server — SNAP PAC S1 8.6 High2023-08-24
CVE-2023-39958 Missing brute force protection on password reset token OAuth2 API controller — security-advisories 5.8 Medium2023-08-10
CVE-2023-21709 Microsoft Exchange Server Elevation of Privilege Vulnerability — Microsoft Exchange Server 2019 Cumulative Update 12 9.8 Critical2023-08-08
CVE-2023-3669 CODESYS: Missing Brute-Force protection in CODESYS Development System — CODESYS Development System 3.3 Low2023-08-03
CVE-2023-3548 IQ Wifi 6 — IQ Wifi 6 8.3 High2023-07-25
CVE-2023-32657 Weintek Weincloud Improper Restriction of Excessive Authentication Attempts — Weincloud 5.3 Medium2023-07-19
CVE-2023-29301 Adobe ColdFusion Improper Restriction of Excessive Authentication Attempts Security feature bypass — ColdFusion 7.5 High2023-07-12

Vulnerabilities classified as CWE-307 (过多认证尝试的限制不恰当) represent 332 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.