CVE-2020-11052 Information

Description

In Sorcery before 0.15.0 there is a brute force vulnerability when using password authentication via Sorcery. The brute force protection submodule will prevent a brute force attack for the defined lockout period but once expired protection will not be re-enabled until a user or malicious actor logs in successfully. This does not affect users that do not use the built-in brute force protection submodule nor users that use permanent account lockout. This has been patched in 0.15.0.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Reference

https://github.com/Sorcery/sorcery/commit/0f116d223826895a73b12492f17486e5d54ab7a7 https://github.com/Sorcery/sorcery/issues/231 https://github.com/Sorcery/sorcery/pull/235 https://github.com/Sorcery/sorcery/security/advisories/GHSA-jc8m-cxhj-668x

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

9.8