CVE-2024-21500: Improper Restriction of Excessive Authentication Attempts

February 17, 2024 (updated February 20, 2024)

All versions of the package github.com/greenpau/caddy-security is vulnerable to Improper Restriction of Excessive Authentication Attempts via the two-factor authentication (2FA). Although the application blocks the user after several failed attempts to provide 2FA codes, attackers can bypass this blocking mechanism by automating the application’s full multistep 2FA process.

References

blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy
github.com/advisories/GHSA-vfph-hjfv-cpv2
github.com/greenpau/caddy-security/issues/271
nvd.nist.gov/vuln/detail/CVE-2024-21500
security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGREENPAUCADDYSECURITY-6249864

Detect and mitigate CVE-2024-21500 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →