blob: 5c0c800c97415cb6eab504b0b5c0e6ae11eaddbe [file] [log] [blame]
id: GO-2024-2614
modules:
- module: github.com/IceWhaleTech/CasaOS-UserService
versions:
- introduced: 0.4.4-3-alpha1
fixed: 0.4.7
vulnerable_at: 0.4.6-alpha3
packages:
- package: github.com/IceWhaleTech/CasaOS-UserService/route/v1
symbols:
- PostUserLogin
summary: Password brute force attack in github.com/IceWhaleTech/CasaOS-UserService
description: |-
The CasaOS web application does not have protection against password brute force
attacks. An attacker can use a password brute force attack to find and gain full
access to the server. This vulnerability allows attackers to get super
user-level access over the server.
cves:
- CVE-2024-24767
ghsas:
- GHSA-c69x-5xmw-v44x
credits:
- DrDark1999
references:
- advisory: https://github.com/IceWhaleTech/CasaOS-UserService/security/advisories/GHSA-c69x-5xmw-v44x
- fix: https://github.com/IceWhaleTech/CasaOS-UserService/commit/62006f61b55951048dbace4ebd9e483274838699
- web: https://github.com/IceWhaleTech/CasaOS-UserService/releases/tag/v0.4.7
review_status: REVIEWED