Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-645 (过度限制的账户封锁机制) — Vulnerability Class 6

6 vulnerabilities classified as CWE-645 (过度限制的账户封锁机制). AI Chinese analysis included.

CWE-645 represents a configuration weakness where an account lockout mechanism is overly restrictive, triggering too easily and inadvertently facilitating denial-of-service attacks against legitimate users. While intended to mitigate brute-force password guessing, this flaw allows attackers to maliciously exhaust the allowed login attempts by repeatedly entering incorrect credentials for specific target accounts. Consequently, valid users are locked out and unable to access the system, disrupting business operations and causing significant availability issues. To prevent this vulnerability, developers must implement robust lockout policies that balance security with usability. Best practices include incorporating CAPTCHA challenges after a few failed attempts, implementing progressive delays rather than immediate locks, and utilizing IP-based rate limiting alongside account-specific thresholds to distinguish between automated attacks and genuine user errors.

MITRE CWE Description
The product contains an account lockout protection mechanism, but the mechanism is too restrictive and can be triggered too easily, which allows attackers to deny service to legitimate users by causing their accounts to be locked out. Account lockout is a security feature often present in applications as a countermeasure to the brute force attack on the password based authentication mechanism of the system. After a certain number of failed login attempts, the users' account may be disabled for a certain period of time or until it is unlocked by an administrator. Other security events may also possibly trigger account lockout. However, an attacker may use this very security feature to deny service to legitimate system users. It is therefore important to ensure that the account lockout security mechanism is not overly restrictive.
Common Consequences (1)
AvailabilityDoS: Resource Consumption (Other)
Users could be locked out of accounts.
Mitigations (3)
Architecture and DesignImplement more intelligent password throttling mechanisms such as those which take IP address into account, in addition to the login name.
Architecture and DesignImplement a lockout timeout that grows as the number of incorrect login attempts goes up, eventually resulting in a complete lockout.
Architecture and DesignConsider alternatives to account lockout that would still be effective against password brute force attacks, such as presenting the user machine with a puzzle to solve (makes it do some computation).
Examples (1)
A famous example of this type of weakness being exploited is the eBay attack. eBay always displays the user id of the highest bidder. In the final minutes of the auction, one of the bidders could try to log in as the highest bidder three times. After three incorrect log in attempts, eBay password throttling would kick in and lock out the highest bidder's account for some time. An attacker could th…
CVE IDTitleCVSSSeverityPublished
CVE-2026-25907 Dell PowerScale OneFS 安全漏洞 — PowerScale OneFS 5.3 Medium2026-03-04
CVE-2025-5241 Denial-of-Service Vulnerability in MELSEC iQ-F Series — MELSEC iQ-F Series FX5U-32MT/ES 5.3 Medium2025-07-11
CVE-2025-31947 Repeated LDAP login failures can lock an LDAP account — Mattermost 5.8 Medium2025-05-15
CVE-2024-37028 BIG-IP Next Central Manager vulnerability — BIG-IP Next Central Manager 5.3 Medium2024-08-14
CVE-2024-1722 Keycloak-core: dos via account lockout 3.7 Low2024-02-27
CVE-2023-4346 KNX Connection Authorization 安全漏洞 — KNX Protocol Connection Authorization Option 1 7.5 High2023-08-29

Vulnerabilities classified as CWE-645 (过度限制的账户封锁机制) represent 6 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.