[//]: # (werk v2)
# Bruteforce protection for two factor authentication
key | value
---------- | ---
date | 2024-06-06T17:19:18+00:00
version | 2.4.0b1
class | security
edition | cre
component | core
level | 1
compatible | yes
Prior to this werk, Two Factor Authentication failures could not trigger account lockout.
All three methods will now count towards failed login attempts against a user's
account.
As a result, an attacker could try to brute-force and therefore bypass user's two
factor protections without triggering the lockout mechanism.
This vulnerability was identified in a commissioned penetration test conducted by PS
Positive Security GmbH.
*Affected Versions*:
* 2.3.0
*Indicators of Compromise*:
Failed two factor authentication attempts can be identified within a Checkmk site's
security log file (~/var/log/security.log).
*Vulnerability Management*:
We have rated the issue with a CVSS Score of 5.9 (Medium) with the following CVSS vector:
<code>CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N</code>
and assigned CVE <code>CVE-2024-28833</code>.