Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2018-15759

Summary
Assigner-dell
Assigner Org ID-c550e75a-17ff-4988-97f0-544cde3820fe
Published At-19 Nov, 2018 | 14:00
Updated At-17 Sep, 2024 | 01:50
Rejected At-
Credits

On Demand Services SDK Timing Attack Vulnerability

Pivotal Cloud Foundry On Demand Services SDK, versions prior to 0.24 contain an insecure method of verifying credentials. A remote unauthenticated malicious user may make many requests to the service broker with different credentials, allowing them to infer valid credentials and gain access to perform broker operations.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:dell
Assigner Org ID:c550e75a-17ff-4988-97f0-544cde3820fe
Published At:19 Nov, 2018 | 14:00
Updated At:17 Sep, 2024 | 01:50
Rejected At:
▼CVE Numbering Authority (CNA)
On Demand Services SDK Timing Attack Vulnerability

Pivotal Cloud Foundry On Demand Services SDK, versions prior to 0.24 contain an insecure method of verifying credentials. A remote unauthenticated malicious user may make many requests to the service broker with different credentials, allowing them to infer valid credentials and gain access to perform broker operations.

Affected Products
Vendor
VMware (Broadcom Inc.)Pivotal
Product
On Demand Services SDK
Versions
Affected
  • From all versions before 0.24.0 (custom)
Problem Types
TypeCWE IDDescription
textN/AInformation Exposure Through Timing Discrepancy
Type: text
CWE ID: N/A
Description: Information Exposure Through Timing Discrepancy
Metrics
VersionBase scoreBase severityVector
3.09.1CRITICAL
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Version: 3.0
Base score: 9.1
Base severity: CRITICAL
Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://pivotal.io/security/cve-2018-15759
x_refsource_CONFIRM
http://www.securityfocus.com/bid/106019
vdb-entry
x_refsource_BID
Hyperlink: https://pivotal.io/security/cve-2018-15759
Resource:
x_refsource_CONFIRM
Hyperlink: http://www.securityfocus.com/bid/106019
Resource:
vdb-entry
x_refsource_BID
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://pivotal.io/security/cve-2018-15759
x_refsource_CONFIRM
x_transferred
http://www.securityfocus.com/bid/106019
vdb-entry
x_refsource_BID
x_transferred
Hyperlink: https://pivotal.io/security/cve-2018-15759
Resource:
x_refsource_CONFIRM
x_transferred
Hyperlink: http://www.securityfocus.com/bid/106019
Resource:
vdb-entry
x_refsource_BID
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security_alert@emc.com
Published At:19 Nov, 2018 | 14:29
Updated At:09 Oct, 2019 | 23:35

Pivotal Cloud Foundry On Demand Services SDK, versions prior to 0.24 contain an insecure method of verifying credentials. A remote unauthenticated malicious user may make many requests to the service broker with different credentials, allowing them to infer valid credentials and gain access to perform broker operations.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.09.8CRITICAL
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Secondary3.09.1CRITICAL
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Primary2.05.0MEDIUM
AV:N/AC:L/Au:N/C:P/I:N/A:N
Type: Primary
Version: 3.0
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Type: Secondary
Version: 3.0
Base score: 9.1
Base severity: CRITICAL
Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Type: Primary
Version: 2.0
Base score: 5.0
Base severity: MEDIUM
Vector:
AV:N/AC:L/Au:N/C:P/I:N/A:N
CPE Matches
VMware (Broadcom Inc.)
pivotal_software
>>broker_api>>Versions before 3.0.2(exclusive)
cpe:2.3:a:pivotal_software:broker_api:*:*:*:*:*:*:*:*
VMware (Broadcom Inc.)
pivotal_software
>>on_demand_services_sdk>>Versions before 0.24.0(exclusive)
cpe:2.3:a:pivotal_software:on_demand_services_sdk:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-307Primarynvd@nist.gov
CWE ID: CWE-307
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
http://www.securityfocus.com/bid/106019security_alert@emc.com
Third Party Advisory
VDB Entry
https://pivotal.io/security/cve-2018-15759security_alert@emc.com
Vendor Advisory
Hyperlink: http://www.securityfocus.com/bid/106019
Source: security_alert@emc.com
Resource:
Third Party Advisory
VDB Entry
Hyperlink: https://pivotal.io/security/cve-2018-15759
Source: security_alert@emc.com
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

133Records found
CVE-2002-0628
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-1.42% / 79.80%
||
7 Day CHG~0.00%
Published-03 Jan, 2003 | 05:00
Updated-03 Apr, 2025 | 01:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Telnet service for Polycom ViewStation before 7.2.4 does not restrict the number of failed login attempts, which makes it easier for remote attackers to guess usernames and passwords via a brute force attack.

Action-Not Available
Vendor-polycomn/a
Product-viewstation_v.35viewstation_mpviewstation_h.323viewstation_dcpviewstation_sp_384viewstation_fx_vs4000viewstation_512viewstation_128n/a
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2019-6524
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-9.8||CRITICAL
EPSS-0.25% / 47.87%
||
7 Day CHG~0.00%
Published-05 Mar, 2019 | 21:00
Updated-16 Sep, 2024 | 16:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Moxa IKS and EDS do not implement sufficient measures to prevent multiple failed authentication attempts, which may allow an attacker to discover passwords via brute force attack.

Action-Not Available
Vendor-ICS-CERTMoxa Inc.
Product-eds-510aeds-408a_firmwareeds-408aeds-510a_firmwareiks-g6824aeds-405a_firmwareiks-g6824a_firmwareeds-405aMoxa IKS, EDS
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2022-4797
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-9.8||CRITICAL
EPSS-0.18% / 39.59%
||
7 Day CHG~0.00%
Published-28 Dec, 2022 | 00:00
Updated-10 Apr, 2025 | 18:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Restriction of Excessive Authentication Attempts in usememos/memos

Improper Restriction of Excessive Authentication Attempts in GitHub repository usememos/memos prior to 0.9.1.

Action-Not Available
Vendor-Usememos
Product-memosusememos/memos
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2019-4310
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-7.5||HIGH
EPSS-0.30% / 53.19%
||
7 Day CHG~0.00%
Published-20 Aug, 2019 | 18:25
Updated-17 Sep, 2024 | 01:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Security Guardium Big Data Intelligence 4.0 (SonarG) uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. IBM X-Force ID: 161036.

Action-Not Available
Vendor-IBM Corporation
Product-security_guardium_big_data_intelligenceSecurity Guardium Big Data Intelligence
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2019-4336
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-7.5||HIGH
EPSS-0.63% / 69.44%
||
7 Day CHG~0.00%
Published-01 Jul, 2019 | 15:05
Updated-17 Sep, 2024 | 02:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Robotic Process Automation with Automation Anywhere 11 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. IBM X-Force ID: 161411.

Action-Not Available
Vendor-IBM Corporation
Product-robotic_process_automation_with_automation_anywhereRobotic Process Automation with Automation Anywhere
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2019-4068
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-5.9||MEDIUM
EPSS-0.24% / 47.67%
||
7 Day CHG~0.00%
Published-07 Jun, 2019 | 14:40
Updated-16 Sep, 2024 | 23:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Intelligent Operations Center (IOC) 5.1.0 through 5.2.0 is vulnerable to user enumeration, allowing an attacker to brute force into the system. IBM X-Force ID: 157013.

Action-Not Available
Vendor-IBM Corporation
Product-intelligent_operations_center_for_emergency_managementwater_operations_for_waternamicsintelligent_operations_centerIntelligent Operations Center
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2019-3746
Matching Score-4
Assigner-Dell
ShareView Details
Matching Score-4
Assigner-Dell
CVSS Score-9.8||CRITICAL
EPSS-0.99% / 75.99%
||
7 Day CHG~0.00%
Published-27 Sep, 2019 | 20:20
Updated-17 Sep, 2024 | 01:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Dell EMC Integrated Data Protection Appliance versions prior to 2.3 do not limit the number of authentication attempts to the ACM API. An authenticated remote user may exploit this vulnerability to launch a brute-force authentication attack in order to gain access to the system.

Action-Not Available
Vendor-Dell Inc.
Product-emc_idpa_dp8300emc_integrated_data_protection_appliance_firmwareemc_idpa_dp5800emc_idpa_dp4400emc_idpa_dp8800Integrated Data Protection Appliance
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2019-16670
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.47% / 63.63%
||
7 Day CHG~0.00%
Published-06 Dec, 2019 | 17:05
Updated-05 Aug, 2024 | 01:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered on Weidmueller IE-SW-VL05M 3.6.6 Build 16102415, IE-SW-VL08MT 3.5.2 Build 16102415, and IE-SW-PL10M 3.3.16 Build 16102416 devices. The Authentication mechanism has no brute-force prevention.

Action-Not Available
Vendor-weidmuellern/a
Product-ie-sw-pl18mt-2gc14tx2stie-sw-pl18mt-2gc14tx2st_firmwareie-sw-pl16mt-16tx_firmwareie-sw-pl10m-1gt-2gs-7tx_firmwareie-sw-pl08m-8txie-sw-vl05mt-3tx-2scie-sw-vl05mt-3tx-2sc_firmwareie-sw-pl18m-2gc14tx2scie-sw-vl05mt-5txie-sw-pl08m-6tx-2st_firmwareie-sw-vl08mt-6tx-2stie-sw-pl18m-2gc14tx2scsie-sw-pl08mt-8txie-sw-pl18mt-2gc14tx2scsie-sw-pl16mt-14tx-2stie-sw-vl05m-5txie-sw-pl16mt-16txie-sw-pl16mt-14tx-2sc_firmwareie-sw-pl18m-2gc14tx2scs_firmwareie-sw-pl08mt-6tx-2st_firmwareie-sw-pl16m-16tx_firmwareie-sw-vl08mt-6tx-2scsie-sw-pl10m-3gt-7tx_firmwareie-sw-vl05m-3tx-2sc_firmwareie-sw-pl08m-6tx-2sc_firmwareie-sw-pl08m-6tx-2stie-sw-pl08m-8tx_firmwareie-sw-pl08m-6tx-2scs_firmwareie-sw-pl09m-5gc-4gtie-sw-pl18m-2gc-16tx_firmwareie-sw-vl08mt-6tx-2sc_firmwareie-sw-pl09mt-5gc-4gtie-sw-vl05m-3tx-2st_firmwareie-sw-vl08mt-6tx-2scie-sw-pl18mt-2gc-16tx_firmwareie-sw-pl10m-3gt-7txie-sw-pl16m-16txie-sw-pl10mt-3gt-7txie-sw-pl08mt-6tx-2sc_firmwareie-sw-pl08mt-6tx-2scie-sw-pl18mt-2gc14tx2scs_firmwareie-sw-pl08mt-8tx_firmwareie-sw-pl18mt-2gc-16txie-sw-pl16m-14tx-2stie-sw-pl18m-2gc14tx2stie-sw-vl05mt-3tx-2st_firmwareie-sw-pl16m-14tx-2scie-sw-pl18m-2gc-16txie-sw-vl08mt-5tx-1sc-2scsie-sw-pl16mt-14tx-2st_firmwareie-sw-pl18m-2gc14tx2sc_firmwareie-sw-pl10mt-1gt-2gs-7tx_firmwareie-sw-pl08m-6tx-2scie-sw-pl08m-6tx-2scsie-sw-pl09m-5gc-4gt_firmwareie-sw-vl08mt-6tx-2st_firmwareie-sw-pl08mt-6tx-2stie-sw-pl16mt-14tx-2scie-sw-pl18m-2gc14tx2st_firmwareie-sw-vl08mt-5tx-3sc_firmwareie-sw-pl10mt-3gt-7tx_firmwareie-sw-pl18mt-2gc14tx2sc_firmwareie-sw-pl09mt-5gc-4gt_firmwareie-sw-pl16m-14tx-2sc_firmwareie-sw-vl05mt-5tx_firmwareie-sw-pl10m-1gt-2gs-7txie-sw-vl08mt-6tx-2scs_firmwareie-sw-pl10mt-1gt-2gs-7txie-sw-vl05m-3tx-2scie-sw-vl08mt-8tx_firmwareie-sw-pl18mt-2gc14tx2scie-sw-vl08mt-8txie-sw-pl08mt-6tx-2scsie-sw-pl16m-14tx-2st_firmwareie-sw-vl05mt-3tx-2stie-sw-vl08mt-5tx-3scie-sw-vl08mt-5tx-1sc-2scs_firmwareie-sw-vl05m-3tx-2stie-sw-pl08mt-6tx-2scs_firmwareie-sw-vl05m-5tx_firmwaren/a
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-1999-1152
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.90% / 74.78%
||
7 Day CHG~0.00%
Published-12 Sep, 2001 | 04:00
Updated-03 Apr, 2025 | 01:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Compaq/Microcom 6000 Access Integrator does not disconnect a client after a certain number of failed login attempts, which allows remote attackers to guess usernames or passwords via a brute force attack.

Action-Not Available
Vendor-compaqn/a
Product-microcom_6000_firmwaremicrocom_6000n/a
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2019-14951
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.48% / 63.95%
||
7 Day CHG~0.00%
Published-12 Aug, 2019 | 15:15
Updated-05 Aug, 2024 | 00:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Telenav Scout GPS Link app 1.x for iOS, as used with Toyota and Lexus vehicles, has an incorrect protection mechanism against brute-force attacks on the authentication process, which makes it easier for attackers to obtain multimedia-screen access via port 7050 on the cellular network, as demonstrated by a DrivingRestriction method call to uma/jsonrpc/mobile.

Action-Not Available
Vendor-telenavn/a
Product-scout_gps_linkn/a
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2019-4520
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-7.5||HIGH
EPSS-0.51% / 65.51%
||
7 Day CHG~0.00%
Published-02 Oct, 2019 | 14:45
Updated-17 Sep, 2024 | 03:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Security Directory Server 6.4.0 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. IBM X-Force ID: 165178.

Action-Not Available
Vendor-IBM Corporation
Product-security_directory_serverSecurity Directory Server
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2019-14299
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.37% / 58.13%
||
7 Day CHG~0.00%
Published-13 Mar, 2020 | 18:50
Updated-05 Aug, 2024 | 00:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Ricoh SP C250DN 1.05 devices have an Authentication Method Vulnerable to Brute Force Attacks. Some Ricoh printers did not implement account lockout. Therefore, it was possible to obtain the local account credentials by brute force.

Action-Not Available
Vendor-n/aRicoh Company, Ltd.
Product-sp_c250sfsp_c252sf_firmwaresp_c252sfsp_c250sf_firmwaresp_c250dnsp_c252dnsp_c252dn_firmwaresp_c250dn_firmwaren/a
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2019-13166
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.34% / 56.15%
||
7 Day CHG~0.00%
Published-13 Mar, 2020 | 18:33
Updated-04 Aug, 2024 | 23:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Some Xerox printers (such as the Phaser 3320 V53.006.16.000) did not implement account lockout. Local account credentials may be extracted from the device via brute force guessing attacks.

Action-Not Available
Vendor-n/aXerox Corporation
Product-phaser_3320phaser_3320_firmwaren/a
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2021-22003
Matching Score-4
Assigner-VMware by Broadcom
ShareView Details
Matching Score-4
Assigner-VMware by Broadcom
CVSS Score-7.5||HIGH
EPSS-0.36% / 57.11%
||
7 Day CHG~0.00%
Published-31 Aug, 2021 | 21:02
Updated-03 Aug, 2024 | 18:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

VMware Workspace ONE Access and Identity Manager, unintentionally provide a login interface on port 7443. A malicious actor with network access to port 7443 may attempt user enumeration or brute force the login endpoint, which may or may not be practical based on lockout policy configuration and password complexity for the target account.

Action-Not Available
Vendor-n/aLinux Kernel Organization, IncVMware (Broadcom Inc.)
Product-linux_kernelidentity_managerworkspace_one_accessvrealize_suite_lifecycle_managercloud_foundationVMware Workspace ONE Access and Identity Manager
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2021-33209
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.20% / 42.59%
||
7 Day CHG~0.00%
Published-03 Nov, 2021 | 10:02
Updated-03 Aug, 2024 | 23:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Fimer Aurora Vision before 2.97.10. The response to a failed login attempt discloses whether the username or password is wrong, helping an attacker to enumerate usernames. This can make a brute-force attack easier.

Action-Not Available
Vendor-fimern/a
Product-aurora_visionn/a
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2021-3412
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-7.3||HIGH
EPSS-0.15% / 36.60%
||
7 Day CHG~0.00%
Published-01 Jun, 2021 | 13:47
Updated-03 Aug, 2024 | 16:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

It was found that all versions of 3Scale developer portal lacked brute force protections. An attacker could use this gap to bypass login controls, and access privileged information, or possibly conduct further attacks.

Action-Not Available
Vendor-n/aRed Hat, Inc.
Product-3scale3scale_api_management3Scale
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2021-22915
Matching Score-4
Assigner-HackerOne
ShareView Details
Matching Score-4
Assigner-HackerOne
CVSS Score-9.8||CRITICAL
EPSS-0.49% / 64.58%
||
7 Day CHG~0.00%
Published-11 Jun, 2021 | 15:49
Updated-03 Aug, 2024 | 18:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Nextcloud server before 19.0.11, 20.0.10, 21.0.2 is vulnerable to brute force attacks due to lack of inclusion of IPv6 subnets in rate-limiting considerations. This could potentially result in an attacker bypassing rate-limit controls such as the Nextcloud brute-force protection.

Action-Not Available
Vendor-n/aFedora ProjectNextcloud GmbH
Product-fedoranextcloud_serverNextcloud Server
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2021-32705
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.3||MEDIUM
EPSS-1.07% / 76.84%
||
7 Day CHG~0.00%
Published-12 Jul, 2021 | 15:30
Updated-03 Aug, 2024 | 23:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Lack of ratelimit on public DAV endpoint

Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, there was a lack of ratelimiting on the public DAV endpoint. This may have allowed an attacker to enumerate potentially valid share tokens or credentials. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds.

Action-Not Available
Vendor-Fedora ProjectNextcloud GmbH
Product-fedoranextcloud_serversecurity-advisories
CWE ID-CWE-799
Improper Control of Interaction Frequency
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2021-28127
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.22% / 44.22%
||
7 Day CHG~0.00%
Published-01 Jul, 2021 | 14:01
Updated-03 Aug, 2024 | 21:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Stormshield SNS through 4.2.1. A brute-force attack can occur.

Action-Not Available
Vendor-stormshieldn/a
Product-stormshield_network_securityn/a
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2021-29842
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-3.7||LOW
EPSS-0.09% / 26.00%
||
7 Day CHG~0.00%
Published-16 Sep, 2021 | 15:50
Updated-17 Sep, 2024 | 01:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0 and Liberty 17.0.0.3 through 21.0.0.9 could allow a remote user to enumerate usernames due to a difference of responses from valid and invalid login attempts. IBM X-Force ID: 205202.

Action-Not Available
Vendor-IBM Corporation
Product-websphere_application_serverWebSphere Application Server LibertyWebSphere Application Server
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2017-12316
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-7.5||HIGH
EPSS-1.19% / 77.99%
||
7 Day CHG~0.00%
Published-16 Nov, 2017 | 07:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability in the Guest Portal login page of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to perform multiple login attempts in excess of the configured login attempt limit. The vulnerability is due to insufficient server-side login attempt limit enforcement. An attacker could exploit this vulnerability by sending modified login attempts to the Guest Portal login page. An exploit could allow the attacker to perform brute-force password attacks on the ISE Guest Portal. Cisco Bug IDs: CSCve98518.

Action-Not Available
Vendor-n/aCisco Systems, Inc.
Product-identity_services_engine_softwareCisco Identity Services Engine
CWE ID-CWE-287
Improper Authentication
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2021-28909
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.76% / 81.84%
||
7 Day CHG~0.00%
Published-09 Sep, 2021 | 17:35
Updated-03 Aug, 2024 | 21:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

BAB TECHNOLOGIE GmbH eibPort V3 prior version 3.9.1 allow unauthenticated attackers to access uncontrolled the login service at /webif/SecurityModule in a brute force attack. The password could be weak and default username is known as 'admin'. This is usable and part of an attack chain to gain SSH root access.

Action-Not Available
Vendor-bab-technologien/a
Product-eibport_firmwareeibportn/a
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2021-28248
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.24% / 46.77%
||
7 Day CHG~0.00%
Published-26 Mar, 2021 | 07:14
Updated-03 Aug, 2024 | 22:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

CA eHealth Performance Manager through 6.3.2.12 is affected by Improper Restriction of Excessive Authentication Attempts. An attacker is able to perform an arbitrary number of /web/frames/ authentication attempts using different passwords, and eventually gain access to a targeted account, NOTE: This vulnerability only affects products that are no longer supported by the maintainer

Action-Not Available
Vendor-n/aBroadcom Inc.
Product-ehealthn/aehealth
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2019-4393
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.35% / 56.82%
||
7 Day CHG~0.00%
Published-07 Apr, 2020 | 15:14
Updated-04 Aug, 2024 | 19:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

HCL AppScan Standard is vulnerable to excessive authorization attempts

Action-Not Available
Vendor-n/aHCL Technologies Ltd.
Product-appscanHCL AppScan Standard Edition
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2019-18985
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.02% / 3.72%
||
7 Day CHG+0.01%
Published-15 Nov, 2019 | 04:21
Updated-05 Aug, 2024 | 02:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Pimcore before 6.2.2 lacks brute force protection for the 2FA token.

Action-Not Available
Vendor-n/aPimcore
Product-pimcoren/a
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2018-5469
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-9.8||CRITICAL
EPSS-0.04% / 13.29%
||
7 Day CHG~0.00%
Published-06 Mar, 2018 | 21:00
Updated-05 Aug, 2024 | 05:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An Improper Restriction of Excessive Authentication Attempts issue was discovered in Belden Hirschmann RS, RSR, RSB, MACH100, MACH1000, MACH4000, MS, and OCTOPUS Classic Platform Switches. An improper restriction of excessive authentication vulnerability in the web interface has been identified, which may allow an attacker to brute force authentication.

Action-Not Available
Vendor-beldenn/a
Product-hirschmann_octopus_16m-train-bphirschmann_octopus_os20-001000t5t5tafuhbhirschmann_octopus_24mhirschmann_mach104-16tx-poep_\+2x_-r-l3phirschmann_rsb20-0900s2tttaabehirschmann_mach4002-48g-l3ehirschmann_octopus_os20-0010001s1strephhhirschmann_rsb20-0900zzz6taabhirschmann_rsb20-0900zzz6saabhirschmann_mach4002-24g-l2phirschmann_octopus_8m-6poehirschmann_octopus_24m-trainhirschmann_rsb20-0900s2ttsaabehirschmann_octopus_os3x-xx24xxxhirschmann_rs20-0900nnm4tdauhirschmann_mach4002-24g-l3ehirschmann_octopus_24m-8_poehirschmann_octopus_8m-trainhirschmann_rs20-1600l2m2sdauhirschmann_rs20-1600s2m2sdauhirschmann_rsb20-0800t1t1saabehirschmann_mach4002-48g\+3x-l3phirschmann_rsb20-0900m2tttaabehirschmann_mach102-8tp-frhirschmann_ms20-0800saaphirschmann_rsb20-0900vvm2saabhirschmann_mach104-16tx-poephirschmann_mach104-16tx-poep_-e-l3phirschmann_m1-8tp-rj45hirschmann_mach102-8tphirschmann_rs20-1600l2l2sdauhirschmann_mach102-8tp-rhirschmann_mach104-20tx-frhirschmann_rsb20-0900m2ttsaabhirschmann_rsb20-0900vvm2taabhirschmann_mach104-20tx-f-4poehirschmann_ms30-0802saaehirschmann_octopus_os24-081000t5t5tneuhbhirschmann_octopus_os30hirschmann_octopus_os20-0010004m4mtrephhhirschmann_mach4002-48g-l3phirschmann_octopus_24m-train-bphirschmann_octopus_os32-080802o6o6tpephhhirschmann_rs20-1600m2t1sdauhirschmann_rs20-1600s2s2sdauhirschmann_octopus_16m-trainhirschmann_octopus_os30-0008021b1btrephhhirschmann_ms20-0800eccphirschmann_rsb20-0900m2ttsaabehirschmann_rsb20-0800t1t1saabhirschmann_rsb20-0900s2ttsaabhirschmann_rsb20-0900zzz6saabehirschmann_octopus_16mhirschmann_rsb20-0800m2m2saabhirschmann_octopus_os30-0008024b4btrephhhirschmann_rs20-1600m2m2sdauhirschmann_ms20-1600saaehirschmann_octopus_os20-000900t5t5tafbhhhirschmann_octopus_os24-080900t5t5tnebhhhirschmann_octopus_os32-081602o6o6tpephhhirschmann_rsb20-0900mmm2saabhirschmann_mach104-20tx-fhirschmann_rsb20-0900mmm2taabhirschmann_ms20-0800saaehirschmann_octopus_os34hirschmann_rsb20-0800t1t1taabhirschmann_octopus_os20-0010004s4strephhhirschmann_rs20-0900vvm2tdauhirschmann_octopus_os24-081000t5t5tffuhbhirschmann_mach102-24tp-fhirschmann_mach4002-48g-l2phirschmann_ms30-0802saaphirschmann_octopus_5tx_eechirschmann_rsb20-0800s2s2saabehirschmann_mach104-16tx-poep_-ehirschmann_ms20-1600saaphirschmann_rsb20-0900mmm2taabehirschmann_m1-8mm-schirschmann_mach104-16tx-poep_-r-l3phirschmann_rsb20-0800m2m2taabehirschmann_mach104-20tx-f-l3phirschmann_rsb20-0900mmm2saabehirschmann_mach104-16tx-poep_-rhirschmann_rs20-1600l2s2sdauhirschmann_mach102-24tp-frhirschmann_rs20-1600l2t1sdauhirschmann_octopus_8tx_poe-eechirschmann_mach104-20tx-fr-l3phirschmann_octopus_8m-8poehirschmann_octopus_os20-001000t5t5tneuhbhirschmann_mach102-8tp-fhirschmann_mach104-16tx-poep_\+2xhirschmann_octopus_os24-080900t5t5tffbhhhirschmann_rs20-0900mmm2tdauhirschmann_octopus_os30-0008024a4atrephhhirschmann_mach4002-48g\+3x-l2phirschmann_rsb20-0900m2tttaabhirschmann_mach4002-24g\+3x-l2phirschmann_ms30-1602saaehirschmann_mach4002-24g\+3x-l3phirschmann_rsr20hirschmann_octopus_os20-0010001m1mtrephhhirschmann_mach104-16tx-poep_\+2x_-ehirschmann_octopus_16m-8poehirschmann_rsb20-0800m2m2saabehirschmann_rsb20-0800s2s2saabhirschmann_octopus_os20-000900t5t5tnebhhhirschmann_rsr30hirschmann_mach4002-24g-l3phirschmann_octopus_os3x-xx16xxxhirschmann_rsb20-0800m2m2taabhirschmann_mach104-16tx-poep_\+2x-l3phirschmann_mach104-16tx-poep-l3phirschmann_rsb20-0900vvm2saabehirschmann_octopus_os32-081602t6t6tpephhhirschmann_rs20-1600s2t1sdauhirschmann_m1-8sm-schirschmann_rsb20-0900s2tttaabhirschmann_rsb20-0900vvm2taabehirschmann_rsb20-0900zzz6taabehirschmann_octopus_os32-080802t6t6tpephhhirschmann_mach4002-48g\+3x-l3ehirschmann_ms20-1600eccphirschmann_rsb20-0800t1t1taabehirschmann_octopus_8m-train-bphirschmann_mach104-16tx-poep_\+2x_-e-l3phirschmann_rsb20-0800s2s2taabehirschmann_octopus_os30-0008021a1atrephhhirschmann_mach4002-24g\+3x-l3ehirschmann_octopus_8mhirschmann_octopus_8tx-eechirschmann_rsb20-0800s2s2taabhirschmann_m1-8sfphirschmann_mach104-16tx-poep_\+2x_-rHirschmann Automation and Control GmbH Classic Platform Switches
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2021-25309
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.56% / 67.15%
||
7 Day CHG~0.00%
Published-02 Mar, 2021 | 00:41
Updated-03 Aug, 2024 | 20:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The telnet administrator service running on port 650 on Gigaset DX600A v41.00-175 devices does not implement any lockout or throttling functionality. This situation (together with the weak password policy that forces a 4-digit password) allows remote attackers to easily obtain administrative access via brute-force attacks.

Action-Not Available
Vendor-gigasetn/a
Product-dx600adx600a_firmwaren/a
CWE ID-CWE-521
Weak Password Requirements
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2021-32703
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.3||MEDIUM
EPSS-1.73% / 81.67%
||
7 Day CHG~0.00%
Published-12 Jul, 2021 | 15:25
Updated-03 Aug, 2024 | 23:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Lack of ratelimit on shareinfo endpoint

Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, there was a lack of ratelimiting on the shareinfo endpoint. This may have allowed an attacker to enumerate potentially valid share tokens. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds.

Action-Not Available
Vendor-Fedora ProjectNextcloud GmbH
Product-fedoranextcloud_serversecurity-advisories
CWE ID-CWE-799
Improper Control of Interaction Frequency
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2021-32522
Matching Score-4
Assigner-TWCERT/CC
ShareView Details
Matching Score-4
Assigner-TWCERT/CC
CVSS Score-9.8||CRITICAL
EPSS-0.24% / 47.29%
||
7 Day CHG~0.00%
Published-07 Jul, 2021 | 14:12
Updated-16 Sep, 2024 | 19:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
QSAN Storage Manager, XEVO, SANOS - Improper Restriction of Excessive Authentication Attempts

Improper restriction of excessive authentication attempts vulnerability in QSAN Storage Manager, XEVO, SANOS allows remote attackers to discover users’ credentials and obtain access via a brute force attack. Suggest contacting with QSAN and refer to recommendations in QSAN Document.

Action-Not Available
Vendor-qsanQSAN
Product-sanosxevostorage_managerXEVOStorage ManagerSANOS
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2021-20415
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-5.9||MEDIUM
EPSS-0.09% / 26.71%
||
7 Day CHG~0.00%
Published-07 Jul, 2021 | 16:30
Updated-17 Sep, 2024 | 02:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Guardium Data Encryption (GDE) 4.0.0.4 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. IBM X-Force ID: 196217.

Action-Not Available
Vendor-IBM Corporation
Product-guardium_data_encryptionGuardium Data Encryption
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2016-9124
Matching Score-4
Assigner-HackerOne
ShareView Details
Matching Score-4
Assigner-HackerOne
CVSS Score-9.8||CRITICAL
EPSS-0.35% / 56.72%
||
7 Day CHG~0.00%
Published-28 Mar, 2017 | 02:46
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Revive Adserver before 3.2.3 suffers from Improper Restriction of Excessive Authentication Attempts. The login page of Revive Adserver is vulnerable to password-guessing attacks. An account lockdown feature was considered, but rejected to avoid introducing service disruptions to regular users during such attacks. A random delay has instead been introduced as a countermeasure in case of password failures, along with a system to discourage parallel brute forcing. These systems will effectively allow the valid users to log in to the adserver, even while an attack is in progress.

Action-Not Available
Vendor-revive-adservern/a
Product-revive_adserverRevive Adserver All versions before 3.2.3
CWE ID-CWE-287
Improper Authentication
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2020-4193
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-4.4||MEDIUM
EPSS-0.41% / 60.73%
||
7 Day CHG~0.00%
Published-04 Jun, 2020 | 13:35
Updated-17 Sep, 2024 | 01:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Security Guardium 11.1 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. IBM X-Force ID: 174857.

Action-Not Available
Vendor-IBM Corporation
Product-security_guardiumSecurity Guardium
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2020-35585
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.34% / 56.23%
||
7 Day CHG~0.00%
Published-23 Dec, 2020 | 14:56
Updated-04 Aug, 2024 | 17:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Solstice Pod before 3.3.0 (or Open4.3), the screen key can be enumerated using brute-force attacks via the /lookin/info Solstice Open Control API because there are only 1.7 million possibilities.

Action-Not Available
Vendor-mersiven/a
Product-solstice_pod_firmwaresolstice_podn/a
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
  • Previous
  • 1
  • 2
  • 3
  • Next
Details not found