CWE-307 Details

CWE-307

Improper Restriction of Excessive Authentication Attempts
Draft
2006-07-19
00h00 +00:00
2025-12-11
00h00 +00:00
CWE Mitre.org
Benachrichtigungen für ein CWE
Bleiben Sie über alle Änderungen zu einem bestimmten CWE informiert.
Benachrichtigungen verwalten

Name: Improper Restriction of Excessive Authentication Attempts

The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.

Allgemeine Informationen

Einführungsmodi

Architecture and Design : COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic.

Anwendbare Plattformen

Sprache

Class: Not Language-Specific (Undetermined)

Häufige Konsequenzen

Bereich Auswirkung Wahrscheinlichkeit
Access ControlBypass Protection Mechanism

Note: An attacker could perform an arbitrary number of authentication attempts using different passwords, and eventually gain access to the targeted account using a brute force attack.

Beobachtete Beispiele

Referenzen Beschreibung

CVE-2019-0039

the REST API for a network OS has a high limit for number of connections, allowing brute force password guessing

CVE-1999-1152

Product does not disconnect or timeout after multiple failed logins.

CVE-2001-1291

Product does not disconnect or timeout after multiple failed logins.

CVE-2001-0395

Product does not disconnect or timeout after multiple failed logins.

CVE-2001-1339

Product does not disconnect or timeout after multiple failed logins.

CVE-2002-0628

Product does not disconnect or timeout after multiple failed logins.

CVE-1999-1324

User accounts not disabled when they exceed a threshold; possibly a resultant problem.

Mögliche Gegenmaßnahmen

Phases : Architecture and Design
Phases : Architecture and Design

Erkennungsmethoden

Dynamic Analysis with Automated Results Interpretation

Wirksamkeit : High

Dynamic Analysis with Manual Results Interpretation

Wirksamkeit : High

Manual Static Analysis - Source Code

Wirksamkeit : High

Automated Static Analysis - Source Code

Wirksamkeit : SOAR Partial

Automated Static Analysis

Wirksamkeit : SOAR Partial

Architecture or Design Review

Wirksamkeit : High

Hinweise zur Schwachstellen-Zuordnung

Begründung : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Kommentar : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Verwandte Angriffsmuster

CAPEC-ID Name des Angriffsmusters
CAPEC-16 Dictionary-based Password Attack
CAPEC-49 Password Brute Forcing
An adversary tries every possible value for a password until they succeed. A brute force attack, if feasible computationally, will always be successful because it will essentially go through all possible passwords given the alphabet used (lower case letters, upper case letters, numbers, symbols, etc.) and the maximum length of the password.
CAPEC-560 Use of Known Domain Credentials
CAPEC-565 Password Spraying
CAPEC-600 Credential Stuffing
CAPEC-652 Use of Known Kerberos Credentials
An adversary obtains (i.e. steals or purchases) legitimate Kerberos credentials (e.g. Kerberos service account userID/password or Kerberos Tickets) with the goal of achieving authenticated access to additional systems, applications, or services within the domain.
CAPEC-653 Use of Known Operating System Credentials
An adversary guesses or obtains (i.e. steals or purchases) legitimate operating system credentials (e.g. userID/password) to achieve authentication and to perform authorized actions on the system, under the guise of an authenticated user or service. This applies to any Operating System.

Referenzen

REF-45

OWASP Enterprise Security API (ESAPI) Project
OWASP.
https://owasp.org/www-project-enterprise-security-api/

REF-236

Weak Password Brings 'Happiness' to Twitter Hacker
Kim Zetter.
https://www.wired.com/2009/01/professed-twitt/

REF-1218

This Black Box Can Brute Force Crack iPhone PIN Passcodes
Graham Cluley.
https://www.intego.com/mac-security-blog/iphone-pin-pass-code/

Einreichung

Name Organisation Datum Veröffentlichungsdatum Version
PLOVER 2006-07-19 +00:00 2006-07-19 +00:00 Draft 3

Änderungen

Name Organisation Datum Kommentar
Sean Eidemiller Cigital 2008-07-01 +00:00 added/updated demonstrative examples
CWE Content Team MITRE 2008-09-08 +00:00 updated Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2009-03-10 +00:00 updated Relationships
CWE Content Team MITRE 2009-07-27 +00:00 updated Observed_Examples
CWE Content Team MITRE 2009-12-28 +00:00 updated Applicable_Platforms, Demonstrative_Examples, Potential_Mitigations
CWE Content Team MITRE 2010-02-16 +00:00 updated Demonstrative_Examples, Name, Potential_Mitigations, Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2010-04-05 +00:00 updated Demonstrative_Examples
CWE Content Team MITRE 2011-03-29 +00:00 updated Demonstrative_Examples
CWE Content Team MITRE 2011-06-01 +00:00 updated Common_Consequences
CWE Content Team MITRE 2011-06-27 +00:00 updated Common_Consequences, Related_Attack_Patterns, Relationships
CWE Content Team MITRE 2011-09-13 +00:00 updated Potential_Mitigations, References, Relationships
CWE Content Team MITRE 2012-05-11 +00:00 updated Relationships
CWE Content Team MITRE 2014-07-30 +00:00 updated Detection_Factors, Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2017-11-08 +00:00 updated Demonstrative_Examples, Modes_of_Introduction, Relationships
CWE Content Team MITRE 2019-06-20 +00:00 updated Demonstrative_Examples, Relationships
CWE Content Team MITRE 2020-02-24 +00:00 updated Detection_Factors, Relationships
CWE Content Team MITRE 2020-08-20 +00:00 updated Related_Attack_Patterns
CWE Content Team MITRE 2021-10-28 +00:00 updated Demonstrative_Examples, References, Relationships
CWE Content Team MITRE 2022-10-13 +00:00 updated Demonstrative_Examples, Description, Observed_Examples, References, Relationships
CWE Content Team MITRE 2023-04-27 +00:00 updated Demonstrative_Examples, References, Relationships
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes
CWE Content Team MITRE 2024-11-19 +00:00 updated Common_Consequences, Description, Diagram
CWE Content Team MITRE 2025-09-09 +00:00 updated Demonstrative_Examples, Detection_Factors, Potential_Mitigations, References
CWE Content Team MITRE 2025-12-11 +00:00 updated Relationships, Weakness_Ordinalities
Die auf CVE Find präsentierten Informationen stammen aus mehreren sorgfältig ausgewählten Referenzquellen. CVE-Daten werden von der MITRE Corporation und der National Vulnerability Database (NVD) bereitgestellt. Der Katalog bekannter ausgenutzter Schwachstellen (KEV) stammt von der Cybersecurity and Infrastructure Security Agency (CISA), während EPSS-Scores von FIRST.org kommen. Darüber hinaus werden Daten zu Software-Schwachstellen (CWE) und häufigen Angriffsmustern (CAPEC) von der MITRE Corporation gepflegt, und Informationen zu Hardware- und Software-Konfigurationen (CPE) werden von der NVD bereitgestellt.