[//]: # (werk v2)
# Brute-force protection ineffective for some login methods
key | value
---------- | ---
date | 2024-04-09T12:24:12+00:00
version | 2.3.0b5
class | security
edition | cre
component | wato
level | 1
compatible | yes
Prior to this Werk, the mechanism to lock user accounts after too many failed login
attempts was only effective for the web form login method.
Login attempts via the REST API and basic authentication did not count towards the lockout
mechanism.
As a result, an attacker could try to brute-force user passwords without triggering the
lockout mechanism.
This Werk adds the same locking mechanism to login via the REST API and basic
authentication _for human user accounts_.
Note that automation accounts are remain unaffected by the lockout mechanism to avoid
having them locked by malicious intent.
It is therefore important to use long, random automation secrets.
This issue was found during internal review.
**Affected Versions**:
* 2.3.0 (beta)
* 2.2.0
* 2.1.0
* 2.0.0 (EOL)
**Mitigations**:
If updating is not possible, the brute-force attempts can be hindered by using a strong
password policy.
**Vulnerability Management**:
We have rated the issue with a CVSS Score of 5.9 (Medium) with the following CVSS vector:
`CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N`
and assigned CVE `CVE-2024-28825`.
Show replies by date