Lucene search

GitHub_MCVELIST:CVE-2022-35925

HistoryAug 02, 2022 - 8:15 p.m.

CVE-2022-35925 Missing rate limit in Authentication in bookwyrm

2022-08-0220:15:15

CWE-287

GitHub_M

www.cve.org

cve-2022-35925

bookwyrm

authentication

rate limit

brute force

nginx configuration

patch

upgrade

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

AI Score

9.8

Confidence

High

EPSS

0.002

Percentile

62.2%

JSON

BookWyrm is a social network for tracking reading. Versions prior to 0.4.5 were found to lack rate limiting on authentication views which allows brute-force attacks. This issue has been patched in version 0.4.5. Admins with existing instances will need to update their nginx.conf file that was created when the instance was set up. Users are advised advised to upgrade. Users unable to upgrade may update their nginx.conf files with the changes manually.

CNA Affected

[
  {
    "product": "bookwyrm",
    "vendor": "bookwyrm-social",
    "versions": [
      {
        "status": "affected",
        "version": "< 0.4.5"
      }
    ]
  }
]

References

github.com/bookwyrm-social/bookwyrm/security/advisories/GHSA-jvp3-mqv8-5rjw

huntr.dev/bounties/ebee593d-3fd0-4985-bf5e-7e7927e08bf6/

www.github.com/bookwyrm-social/bookwyrm/commit/7bbe42fb30a79a26115524d18b697d895563c92f

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

AI Score

9.8

Confidence

High

EPSS

0.002

Percentile

62.2%

JSON

Related for CVELIST:CVE-2022-35925