CVE-2024-24767

Source
https://cve.org/CVERecord?id=CVE-2024-24767
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-24767.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-24767
Aliases
Published
2024-03-06T18:06:26.237Z
Modified
2026-04-10T05:10:52.213516Z
Severity
  • 9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Summary
CasaOS Improper Restriction of Excessive Authentication Attempts vulnerability
Details

CasaOS-UserService provides user management functionalities to CasaOS. Starting in version 0.4.4.3 and prior to version 0.4.7, CasaOS doesn't defend against password brute force attacks, which leads to having full access to the server. The web application lacks control over the login attempts. This vulnerability allows attackers to get super user-level access over the server. Version 0.4.7 contains a patch for this issue.

Database specific
{
    "cwe_ids": [
        "CWE-307"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/24xxx/CVE-2024-24767.json"
}
References

Affected packages

Git / github.com/icewhaletech/casaos-userservice

Affected ranges

Type
GIT
Repo
https://github.com/icewhaletech/casaos-userservice
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "versions": [
        {
            "introduced": "0.4.4.3"
        },
        {
            "fixed": "0.4.7"
        }
    ]
}

Affected versions

v0.*
v0.3.5-alpha1
v0.3.5-alpha2
v0.3.5-alpha3
v0.3.6
v0.3.6-alpha1
v0.3.6-alpha2
v0.3.6-alpha3
v0.3.6-alpha4
v0.3.6-alpha5
v0.3.6-alpha6
v0.3.6-alpha7
v0.3.7
v0.3.7-alpha1
v0.3.7-alpha2
v0.4.0
v0.4.0-alpha1
v0.4.0-alpha2
v0.4.0-alpha3
v0.4.0-alpha4
v0.4.0-alpha5
v0.4.0-alpha6
v0.4.1
v0.4.1-alpha1
v0.4.1-alpha2
v0.4.2
v0.4.2-alpha1
v0.4.4
v0.4.4-2-alpha1
v0.4.4-3-alpha1
v0.4.4-3-alpha2
v0.4.4-3-alpha3
v0.4.4-alpha1
v0.4.4-alpha2
v0.4.4-alpha3
v0.4.4-alpha5
v0.4.4-alpha6
v0.4.4-alpha7
v0.4.4-alpha8
v0.4.5
v0.4.6-alpha1
v0.4.6-alpha2

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-24767.json"