Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-307 (过多认证尝试的限制不恰当) — Vulnerability Class 332

332 vulnerabilities classified as CWE-307 (过多认证尝试的限制不恰当). AI Chinese analysis included.

CWE-307 represents a critical authentication weakness where systems fail to adequately restrict the number of login attempts within a specific timeframe. This vulnerability is typically exploited by attackers conducting brute-force or credential stuffing attacks, allowing them to systematically guess valid usernames and passwords until access is granted. Without proper safeguards, automated tools can rapidly cycle through extensive password dictionaries, compromising user accounts and sensitive data. To mitigate this risk, developers must implement robust countermeasures such as account lockout policies after a defined number of failures, progressive delays between login attempts, or CAPTCHA challenges to distinguish human users from bots. Additionally, integrating multi-factor authentication provides an essential layer of defense, ensuring that even if credentials are compromised, unauthorized access remains blocked.

MITRE CWE Description
The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.
Common Consequences (1)
Access ControlBypass Protection Mechanism
An attacker could perform an arbitrary number of authentication attempts using different passwords, and eventually gain access to the targeted account using a brute force attack.
Mitigations (2)
Architecture and DesignCommon protection mechanisms include: Disconnecting the user after a small number of failed attempts Implementing a timeout Locking out a targeted account Requiring a computational task on the user's part.
Architecture and DesignUse a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. Consider using libraries with authentication capabilities such as OpenSSL or the ESAPI Authenticator. [REF-45]
Examples (2)
In January 2009, an attacker was able to gain administrator access to a Twitter server because the server did not restrict the number of login attempts [REF-236]. The attacker targeted a member of Twitter's support team and was able to successfully guess the member's password using a brute force attack by guessing a large number of common words. After gaining access as the member of the support st…
The following code, extracted from a servlet's doPost() method, performs an authentication lookup every time the servlet is invoked.
String username = request.getParameter("username"); String password = request.getParameter("password"); int authResult = authenticateUser(username, password);
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2023-36917 Password Change rate limit bypass in SAP BusinessObjects Business Intelligence Platform — SAP BusinessObjects Business Intelligence Platform 5.9 Medium2023-07-11
CVE-2023-3605 PHPGurukul Online Shopping Portal Registration Page excessive authentication — Online Shopping Portal 6.5 Medium2023-07-10
CVE-2023-35697 SICK ICR890-4 安全漏洞 — ICR890-4 5.3 Medium2023-07-10
CVE-2023-33868 PiiGAB M-Bus Improper Restriction of Excessive Authentication Attempts — M-Bus SoftwarePack 5.9 Medium2023-07-06
CVE-2023-32224 D-Link DSL-224 firmware version 3.0.10 CWE-307: Improper Restriction of Excessive Authentication Attempts — DSL-224 firmware version 3.0.10 9.8 Critical2023-06-28
CVE-2023-35172 Nextcloud Server password reset endpoint is not brute force protected — security-advisories 8.7 High2023-06-23
CVE-2023-32320 Nextcloud Server's brute force protection allows someone to send more requests than intended — security-advisories 8.7 High2023-06-22
CVE-2022-32757 IBM Security Directory Suite VA information disclosure — Security Directory Suite VA 7.5 High2023-06-15
CVE-2022-42478 Fortinet FortiSIEM 安全漏洞 — FortiSIEM 8.1 High2023-06-13
CVE-2023-3173 Improper Restriction of Excessive Authentication Attempts in froxlor/froxlor — froxlor/froxlor 9.4 -2023-06-09
CVE-2023-32319 Basic auth header on WebDAV requests is not brute-force protected in Nextcloud — security-advisories 8.1 High2023-05-26
CVE-2023-32074 Nextcloud user_oidc app is missing brute force protection — security-advisories 8.0 High2023-05-25
CVE-2023-2675 Improper Restriction of Excessive Authentication Attempts in linagora/twake — linagora/twake 9.8 -2023-05-12
CVE-2023-2531 Improper Restriction of Excessive Authentication Attempts in azuracast/azuracast — azuracast/azuracast 7.5 -2023-05-05
CVE-2023-28847 Nextcloud Server missing brute force protection for passwords of password protected share links — security-advisories 3.1 Low2023-04-25
CVE-2022-43377 Schneider Electric NetBotz 安全漏洞 — NetBotz 4 - 355/450/455/550/570 7.5 High2023-04-18
CVE-2022-2525 Improper Restriction of Excessive Authentication Attempts in janeczku/calibre-web — janeczku/calibre-web 9.1 -2023-04-15
CVE-2022-43947 Fortinet FortiOS 安全漏洞 — FortiOS 4.7 Medium2023-04-11
CVE-2023-29005 No Rate Limiting on Login AUTH DB — Flask-AppBuilder 7.5 High2023-04-10
CVE-2023-25818 Missing brute force protection on password reset token in Nextcloud Server — security-advisories 5.3 Medium2023-03-27
CVE-2023-1665 Improper Restriction of Excessive Authentication Attempts in linagora/twake — linagora/twake 8.2 -2023-03-27
CVE-2023-25820 Nextcloud Server and Enterprise Server missing brute force protection on password confirmation modal — security-advisories 4.2 Medium2023-03-22
CVE-2023-1539 Improper Restriction of Excessive Authentication Attempts in answerdev/answer — answerdev/answer 8.2 -2023-03-21
CVE-2023-26209 Fortinet FortiDeceptor 安全漏洞 — FortiDeceptor 3.5 Low2023-03-09
CVE-2023-26208 Fortinet FortiAuthenticator 安全漏洞 — FortiAuthenticator 3.5 Low2023-03-09
CVE-2022-29056 Fortinet FortiMail 安全漏洞 — FortiMail 3.5 Low2023-03-09
CVE-2023-1101 SonicWALL SonicOS 安全漏洞 — SonicOS 8.8 -2023-03-02
CVE-2023-0860 Improper Restriction of Excessive Authentication Attempts in modoboa/modoboa-installer — modoboa/modoboa-installer 9.1 -2023-02-16
CVE-2022-34389 Dell SupportAssist for Home PCs 安全漏洞 — SupportAssist 3.7 Low2023-02-10
CVE-2023-24020 Snap One Wattbox 安全漏洞 — Wattbox WB-300-IP-3 7.5 High2023-01-30

Vulnerabilities classified as CWE-307 (过多认证尝试的限制不恰当) represent 332 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.