Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-43320: tfa: add data for rate limiting and blocking · proxmox/proxmox-rs@50b793d

An issue in Proxmox Server Solutions GmbH Proxmox VE v.5.4 thru v.8.0, Proxmox Backup Server v.1.1 thru v.3.0, and Proxmox Mail Gateway v.7.1 thru v.8.0 allows a remote authenticated attacker to escalate privileges via bypassing the two-factor authentication component.

CVE
#auth

Commit

Permalink

Browse files

Browse the repository at this point in the history

tfa: add data for rate limiting and blocking

TfaUserData uses `#[serde(deny_unknown_fields)]`, so we add this now, but using it will require explicitly enabling it.

If the TOTP count is high, the user should be locked out of TOTP entirely until they use a recovery key to reset the count.

If a user’s TFA try count is too high, they should get rate limited.

In both cases they should receive some kind of notification.

Signed-off-by: Wolfgang Bumiller [email protected]

  • Loading branch information

Related news

Proxmox VE 7.4-1 TOTP Brute Force

Proxmox VE versions 5.4 through 7.4-1 suffer from a TOTP brute forcing vulnerability.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907