Detalle CWE-307

CWE-307

Improper Restriction of Excessive Authentication Attempts
Draft
2006-07-19
00h00 +00:00
2025-12-11
00h00 +00:00
CWE Mitre.org
Notificaciones para un CWE
Manténgase informado sobre cualquier cambio en un CWE específico.
Gestionar notificaciones

Nombre: Improper Restriction of Excessive Authentication Attempts

The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.

Informaciones generales

Modos de introducción

Architecture and Design : COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic.

Plataformas aplicables

Lenguaje

Class: Not Language-Specific (Undetermined)

Consecuencias comunes

Alcance Impacto Probabilidad
Access ControlBypass Protection Mechanism

Note: An attacker could perform an arbitrary number of authentication attempts using different passwords, and eventually gain access to the targeted account using a brute force attack.

Ejemplos observados

Referencias Descripción

CVE-2019-0039

the REST API for a network OS has a high limit for number of connections, allowing brute force password guessing

CVE-1999-1152

Product does not disconnect or timeout after multiple failed logins.

CVE-2001-1291

Product does not disconnect or timeout after multiple failed logins.

CVE-2001-0395

Product does not disconnect or timeout after multiple failed logins.

CVE-2001-1339

Product does not disconnect or timeout after multiple failed logins.

CVE-2002-0628

Product does not disconnect or timeout after multiple failed logins.

CVE-1999-1324

User accounts not disabled when they exceed a threshold; possibly a resultant problem.

Mitigaciones potenciales

Phases : Architecture and Design
Phases : Architecture and Design

Métodos de detección

Dynamic Analysis with Automated Results Interpretation

Efectividad : High

Dynamic Analysis with Manual Results Interpretation

Efectividad : High

Manual Static Analysis - Source Code

Efectividad : High

Automated Static Analysis - Source Code

Efectividad : SOAR Partial

Automated Static Analysis

Efectividad : SOAR Partial

Architecture or Design Review

Efectividad : High

Notas de mapeo de vulnerabilidades

Justificación : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Comentario : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Patrones de ataque relacionados

CAPEC-ID Nombre del patrón de ataque
CAPEC-16 Dictionary-based Password Attack
CAPEC-49 Password Brute Forcing
An adversary tries every possible value for a password until they succeed. A brute force attack, if feasible computationally, will always be successful because it will essentially go through all possible passwords given the alphabet used (lower case letters, upper case letters, numbers, symbols, etc.) and the maximum length of the password.
CAPEC-560 Use of Known Domain Credentials
CAPEC-565 Password Spraying
CAPEC-600 Credential Stuffing
CAPEC-652 Use of Known Kerberos Credentials
An adversary obtains (i.e. steals or purchases) legitimate Kerberos credentials (e.g. Kerberos service account userID/password or Kerberos Tickets) with the goal of achieving authenticated access to additional systems, applications, or services within the domain.
CAPEC-653 Use of Known Operating System Credentials
An adversary guesses or obtains (i.e. steals or purchases) legitimate operating system credentials (e.g. userID/password) to achieve authentication and to perform authorized actions on the system, under the guise of an authenticated user or service. This applies to any Operating System.

Referencias

REF-45

OWASP Enterprise Security API (ESAPI) Project
OWASP.
https://owasp.org/www-project-enterprise-security-api/

REF-236

Weak Password Brings 'Happiness' to Twitter Hacker
Kim Zetter.
https://www.wired.com/2009/01/professed-twitt/

REF-1218

This Black Box Can Brute Force Crack iPhone PIN Passcodes
Graham Cluley.
https://www.intego.com/mac-security-blog/iphone-pin-pass-code/

Envío

Nombre Organización Fecha Fecha de lanzamiento Version
PLOVER 2006-07-19 +00:00 2006-07-19 +00:00 Draft 3

Modificaciones

Nombre Organización Fecha Comentario
Sean Eidemiller Cigital 2008-07-01 +00:00 added/updated demonstrative examples
CWE Content Team MITRE 2008-09-08 +00:00 updated Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2009-03-10 +00:00 updated Relationships
CWE Content Team MITRE 2009-07-27 +00:00 updated Observed_Examples
CWE Content Team MITRE 2009-12-28 +00:00 updated Applicable_Platforms, Demonstrative_Examples, Potential_Mitigations
CWE Content Team MITRE 2010-02-16 +00:00 updated Demonstrative_Examples, Name, Potential_Mitigations, Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2010-04-05 +00:00 updated Demonstrative_Examples
CWE Content Team MITRE 2011-03-29 +00:00 updated Demonstrative_Examples
CWE Content Team MITRE 2011-06-01 +00:00 updated Common_Consequences
CWE Content Team MITRE 2011-06-27 +00:00 updated Common_Consequences, Related_Attack_Patterns, Relationships
CWE Content Team MITRE 2011-09-13 +00:00 updated Potential_Mitigations, References, Relationships
CWE Content Team MITRE 2012-05-11 +00:00 updated Relationships
CWE Content Team MITRE 2014-07-30 +00:00 updated Detection_Factors, Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2017-11-08 +00:00 updated Demonstrative_Examples, Modes_of_Introduction, Relationships
CWE Content Team MITRE 2019-06-20 +00:00 updated Demonstrative_Examples, Relationships
CWE Content Team MITRE 2020-02-24 +00:00 updated Detection_Factors, Relationships
CWE Content Team MITRE 2020-08-20 +00:00 updated Related_Attack_Patterns
CWE Content Team MITRE 2021-10-28 +00:00 updated Demonstrative_Examples, References, Relationships
CWE Content Team MITRE 2022-10-13 +00:00 updated Demonstrative_Examples, Description, Observed_Examples, References, Relationships
CWE Content Team MITRE 2023-04-27 +00:00 updated Demonstrative_Examples, References, Relationships
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes
CWE Content Team MITRE 2024-11-19 +00:00 updated Common_Consequences, Description, Diagram
CWE Content Team MITRE 2025-09-09 +00:00 updated Demonstrative_Examples, Detection_Factors, Potential_Mitigations, References
CWE Content Team MITRE 2025-12-11 +00:00 updated Relationships, Weakness_Ordinalities
La información presentada en CVE Find proviene de varias fuentes de referencia cuidadosamente seleccionadas. Los datos CVE son proporcionados por MITRE Corporation y la Base de Datos Nacional de Vulnerabilidades (NVD). El catálogo de Vulnerabilidades Explotadas Conocidas (KEV) proviene de la Agencia de Seguridad de Infraestructura y Ciberseguridad (CISA), mientras que las puntuaciones EPSS provienen de FIRST.org. Además, los datos sobre debilidades de software (CWE) y patrones de ataque comunes (CAPEC) son mantenidos por MITRE Corporation, y la información sobre configuraciones de hardware y software (CPE) es proporcionada por la NVD.