CVE-2021-22530

Published: Aug 28, 2024Modified: Sep 13, 2024

9.9

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L

Exploitability: 3.9 / Impact: 5.3

Source: NVD

Description

A vulnerability identified in NetIQ Advance Authentication that doesn't enforce account lockout when brute force attack is performed on API based login. This issue may lead to user account compromise if successful or may impact server performance. This issue impacts all NetIQ Advance Authentication before 6.3.5.1

Affected (8)

Products: Microfocus: Netiq Advanced Authentication

Microfocus

1 product

Netiq Advanced Authentication

Configuration A

8 vulnerable

Vulnerable Software	Affected Versions
Microfocus Netiq Advanced Authentication	Before 6.3
Microfocus Netiq Advanced Authentication	Version 6.3
Microfocus Netiq Advanced Authentication	Version 6.3 sp1
Microfocus Netiq Advanced Authentication	Version 6.3 sp2
Microfocus Netiq Advanced Authentication	Version 6.3 sp3
Microfocus Netiq Advanced Authentication	Version 6.3 sp4
Microfocus Netiq Advanced Authentication	Version 6.3 sp4_patch1
Microfocus Netiq Advanced Authentication	Version 6.3 sp5

Related CWEs

CWE-307

Improper Restriction of Excessive Authentication Attempts

The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it more susceptible to brute force attacks.

CWE-667

Improper Locking

The product does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors.

References (1)

https://www.netiq.com/documentation/advanced-authentication-63/advanced-authentication-releasenotes-6351/data/advanced-authentication-releasenotes-6351.html

Source: security@opentext.com

Release Notes

Timeline

No history available yet.