Miggo Logo
Miggo Vulnerability Database
CVE-2022-2650

CVE-2022-2650: wger vulnerable to brute force attempts

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-2650
GHSA ID
GHSA-gr58-76rp-mmg4
EPSS Score
0.31133%
CWE
CWE-307
Published
11/24/2022
Updated
2/2/2023
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
wgerpip< 2.22.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper restriction of authentication attempts. The key evidence is the addition of django-axes (a security tool for blocking brute force attacks) in the patched commit. The UserAPILoginView's POST handler in views.py was vulnerable because:

  1. It had AllowAny permissions with no rate limiting in vulnerable versions
  2. The patch added deprecation warnings and JWT authentication, but more crucially introduced AXES_FAILURE_LIMIT and AXES_COOLOFF_TIME configurations
  3. The original code showed no evidence of failed attempt tracking or lockout mechanisms
  4. The CWE-307 directly maps to unprotected authentication endpoints vulnerable to brute-forcing

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Improp*r R*stri*tion o* *x**ssiv* *ut**nti**tion *tt*mpts in *it*u* r*pository w**r-proj**t/w**r prior to *.*.

Reasoning

T** vuln*r**ility st*ms *rom improp*r r*stri*tion o* *ut**nti**tion *tt*mpts. T** k*y *vi**n** is t** ***ition o* *j*n*o-*x*s (* s**urity tool *or *lo*kin* *rut* *or** *tt**ks) in t** p*t**** *ommit. T** Us*r*PILo*inVi*w's POST **n*l*r in vi*ws.py w*