Lucene search

[email protected]NVD:CVE-2022-35925

HistoryAug 02, 2022 - 9:15 p.m.

CVE-2022-35925

2022-08-0221:15:08

CWE-307

CWE-287

[email protected]

web.nvd.nist.gov

bookwyrm

social network

authentication

rate limiting

brute-force attacks

patch

version 0.4.5

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.002

Percentile

62.2%

JSON

BookWyrm is a social network for tracking reading. Versions prior to 0.4.5 were found to lack rate limiting on authentication views which allows brute-force attacks. This issue has been patched in version 0.4.5. Admins with existing instances will need to update their nginx.conf file that was created when the instance was set up. Users are advised advised to upgrade. Users unable to upgrade may update their nginx.conf files with the changes manually.

Affected configurations

Nvd

Node

joinbookwyrmbookwyrmRange<0.4.5

VendorProductVersionCPE
joinbookwyrmbookwyrm*cpe:2.3:a:joinbookwyrm:bookwyrm:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
joinbookwyrm	bookwyrm	*	cpe:2.3:a:joinbookwyrm:bookwyrm::::::::

References

github.com/bookwyrm-social/bookwyrm/security/advisories/GHSA-jvp3-mqv8-5rjw

huntr.dev/bounties/ebee593d-3fd0-4985-bf5e-7e7927e08bf6/

www.github.com/bookwyrm-social/bookwyrm/commit/7bbe42fb30a79a26115524d18b697d895563c92f

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.002

Percentile

62.2%

JSON

Related for NVD:CVE-2022-35925

cve1 osv1 prion1 cvelist1 huntr1