Détail du CWE-307

CWE-307

Improper Restriction of Excessive Authentication Attempts
Draft
2006-07-19
00h00 +00:00
2025-12-11
00h00 +00:00
CWE Mitre.org
Notifications pour un CWE
Restez informé de toutes modifications pour un CWE spécifique.
Gestion des notifications

Nom: Improper Restriction of Excessive Authentication Attempts

The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.

Informations générales

Modes d'introduction

Architecture and Design : COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic.

Plateformes applicables

Langue

Class: Not Language-Specific (Undetermined)

Conséquences courantes

Portée Impact Probabilité
Access ControlBypass Protection Mechanism

Note: An attacker could perform an arbitrary number of authentication attempts using different passwords, and eventually gain access to the targeted account using a brute force attack.

Exemples observés

Références Description

CVE-2019-0039

the REST API for a network OS has a high limit for number of connections, allowing brute force password guessing

CVE-1999-1152

Product does not disconnect or timeout after multiple failed logins.

CVE-2001-1291

Product does not disconnect or timeout after multiple failed logins.

CVE-2001-0395

Product does not disconnect or timeout after multiple failed logins.

CVE-2001-1339

Product does not disconnect or timeout after multiple failed logins.

CVE-2002-0628

Product does not disconnect or timeout after multiple failed logins.

CVE-1999-1324

User accounts not disabled when they exceed a threshold; possibly a resultant problem.

Mesures d’atténuation potentielles

Phases : Architecture and Design
Phases : Architecture and Design

Méthodes de détection

Dynamic Analysis with Automated Results Interpretation

Efficacité : High

Dynamic Analysis with Manual Results Interpretation

Efficacité : High

Manual Static Analysis - Source Code

Efficacité : High

Automated Static Analysis - Source Code

Efficacité : SOAR Partial

Automated Static Analysis

Efficacité : SOAR Partial

Architecture or Design Review

Efficacité : High

Notes de cartographie des vulnérabilités

Justification : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Commentaire : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Modèles d'attaque associés

CAPEC-ID Nom du modèle d'attaque
CAPEC-16 Dictionary-based Password Attack
CAPEC-49 Password Brute Forcing
An adversary tries every possible value for a password until they succeed. A brute force attack, if feasible computationally, will always be successful because it will essentially go through all possible passwords given the alphabet used (lower case letters, upper case letters, numbers, symbols, etc.) and the maximum length of the password.
CAPEC-560 Use of Known Domain Credentials
CAPEC-565 Password Spraying
CAPEC-600 Credential Stuffing
CAPEC-652 Use of Known Kerberos Credentials
An adversary obtains (i.e. steals or purchases) legitimate Kerberos credentials (e.g. Kerberos service account userID/password or Kerberos Tickets) with the goal of achieving authenticated access to additional systems, applications, or services within the domain.
CAPEC-653 Use of Known Operating System Credentials
An adversary guesses or obtains (i.e. steals or purchases) legitimate operating system credentials (e.g. userID/password) to achieve authentication and to perform authorized actions on the system, under the guise of an authenticated user or service. This applies to any Operating System.

Références

REF-45

OWASP Enterprise Security API (ESAPI) Project
OWASP.
https://owasp.org/www-project-enterprise-security-api/

REF-236

Weak Password Brings 'Happiness' to Twitter Hacker
Kim Zetter.
https://www.wired.com/2009/01/professed-twitt/

REF-1218

This Black Box Can Brute Force Crack iPhone PIN Passcodes
Graham Cluley.
https://www.intego.com/mac-security-blog/iphone-pin-pass-code/

Soumission

Nom Organisation Date Date de publication Version
PLOVER 2006-07-19 +00:00 2006-07-19 +00:00 Draft 3

Modifications

Nom Organisation Date Commentaire
Sean Eidemiller Cigital 2008-07-01 +00:00 added/updated demonstrative examples
CWE Content Team MITRE 2008-09-08 +00:00 updated Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2009-03-10 +00:00 updated Relationships
CWE Content Team MITRE 2009-07-27 +00:00 updated Observed_Examples
CWE Content Team MITRE 2009-12-28 +00:00 updated Applicable_Platforms, Demonstrative_Examples, Potential_Mitigations
CWE Content Team MITRE 2010-02-16 +00:00 updated Demonstrative_Examples, Name, Potential_Mitigations, Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2010-04-05 +00:00 updated Demonstrative_Examples
CWE Content Team MITRE 2011-03-29 +00:00 updated Demonstrative_Examples
CWE Content Team MITRE 2011-06-01 +00:00 updated Common_Consequences
CWE Content Team MITRE 2011-06-27 +00:00 updated Common_Consequences, Related_Attack_Patterns, Relationships
CWE Content Team MITRE 2011-09-13 +00:00 updated Potential_Mitigations, References, Relationships
CWE Content Team MITRE 2012-05-11 +00:00 updated Relationships
CWE Content Team MITRE 2014-07-30 +00:00 updated Detection_Factors, Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2017-11-08 +00:00 updated Demonstrative_Examples, Modes_of_Introduction, Relationships
CWE Content Team MITRE 2019-06-20 +00:00 updated Demonstrative_Examples, Relationships
CWE Content Team MITRE 2020-02-24 +00:00 updated Detection_Factors, Relationships
CWE Content Team MITRE 2020-08-20 +00:00 updated Related_Attack_Patterns
CWE Content Team MITRE 2021-10-28 +00:00 updated Demonstrative_Examples, References, Relationships
CWE Content Team MITRE 2022-10-13 +00:00 updated Demonstrative_Examples, Description, Observed_Examples, References, Relationships
CWE Content Team MITRE 2023-04-27 +00:00 updated Demonstrative_Examples, References, Relationships
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes
CWE Content Team MITRE 2024-11-19 +00:00 updated Common_Consequences, Description, Diagram
CWE Content Team MITRE 2025-09-09 +00:00 updated Demonstrative_Examples, Detection_Factors, Potential_Mitigations, References
CWE Content Team MITRE 2025-12-11 +00:00 updated Relationships, Weakness_Ordinalities
Les informations affichées sur CVE Find proviennent de plusieurs sources de référence rigoureusement sélectionnées. Les données CVE sont fournies par MITRE Corporation et la National Vulnerability Database (NVD). Le catalogue des vulnérabilités activement exploitées (KEV) provient de la Cybersecurity and Infrastructure Security Agency (CISA), tandis que les scores EPSS sont issus de FIRST.org. Enfin, les données relatives aux faiblesses logicielles (CWE) et aux schémas d'attaque courants (CAPEC) sont maintenues par MITRE Corporation, et les informations sur les configurations logicielles et matérielles (CPE) proviennent du NVD.