CVE-2024-24767

Published: Mar 6, 2024Modified: Apr 10, 2025

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

CasaOS-UserService provides user management functionalities to CasaOS. Starting in version 0.4.4.3 and prior to version 0.4.7, CasaOS doesn't defend against password brute force attacks, which leads to having full access to the server. The web application lacks control over the login attempts. This vulnerability allows attackers to get super user-level access over the server. Version 0.4.7 contains a patch for this issue.

Affected (1)

Products: Icewhale: Casaos

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Icewhale Casaos	From 0.4.4.3 to 0.4.7

Related CWEs

Improper Restriction of Excessive Authentication Attempts

The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it more susceptible to brute force attacks.

References (6)

https://github.com/IceWhaleTech/CasaOS-UserService/commit/62006f61b55951048dbace4ebd9e483274838699

Source: security-advisories@github.com

Patch

https://github.com/IceWhaleTech/CasaOS-UserService/releases/tag/v0.4.7

Source: security-advisories@github.com

Release Notes

https://github.com/IceWhaleTech/CasaOS-UserService/security/advisories/GHSA-c69x-5xmw-v44x

Source: security-advisories@github.com

ExploitVendor Advisory

https://github.com/IceWhaleTech/CasaOS-UserService/commit/62006f61b55951048dbace4ebd9e483274838699

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

https://github.com/IceWhaleTech/CasaOS-UserService/releases/tag/v0.4.7

Source: af854a3a-2127-422b-91ae-364da2661108

Release Notes

https://github.com/IceWhaleTech/CasaOS-UserService/security/advisories/GHSA-c69x-5xmw-v44x

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitVendor Advisory

Timeline

No history available yet.