CVE-2024-55008
Published: 07 January 2025
Description
JATOS 3.9.4 contains a denial-of-service (DoS) vulnerability in the authentication system, where an attacker can prevent legitimate users from accessing their accounts by repeatedly sending multiple failed login attempts. Specifically, by submitting 3 incorrect login attempts every minute, the attacker can trigger the account lockout mechanism on the account level, effectively locking the user out indefinitely. Since the lockout is applied to the user account and not based on the IP address, any attacker can trigger the lockout on any user account, regardless of their privileges.
Security Summary
CVE-2024-55008 is a denial-of-service (DoS) vulnerability affecting JATOS version 3.9.4 in its authentication system. The issue stems from the account lockout mechanism, which triggers after three incorrect login attempts every minute, locking the targeted user account indefinitely. This flaw aligns with CWE-307 (Improper Restriction of Excessive Authentication Attempts) and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity due to its network accessibility and impact on availability.
Any unauthenticated attacker can exploit this vulnerability remotely without privileges by repeatedly submitting failed login attempts for a specific user account. Since lockouts are enforced at the account level rather than by IP address, an attacker can target and disable access for any legitimate user, preventing them from logging in and disrupting services indefinitely.
Reference URLs include the JATOS website at http://jatos.com and Medium articles detailing the vulnerability at https://hacking-notes.medium.com/cve-2024-51379-jatos-v3-9-4-account-lockout-denial-of-service-cc970f4ca58f. Security practitioners should consult these advisories for guidance on patches or mitigations.
Details
- CWE(s)