CVE-2023-25156: No protection against brute-force attacks on login page

February 15, 2023

Kiwi TCMS, an open source test management system, does not impose rate limits in versions prior to 12.0. This makes it easier to attempt brute-force attacks against the login page. Users should upgrade to v12.0 or later to receive a patch. As a workaround, users may install and configure a rate-limiting proxy in front of Kiwi TCMS.

References

github.com/advisories/GHSA-7968-h4m4-ghm9
github.com/kiwitcms/Kiwi/security/advisories/GHSA-7968-h4m4-ghm9
huntr.dev/bounties/2b1a9be9-45e9-490b-8de0-26a492e79795/
kiwitcms.org/blog/kiwi-tcms-team/2023/02/15/kiwi-tcms-120/
nvd.nist.gov/vuln/detail/CVE-2023-25156

Detect and mitigate CVE-2023-25156 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →