Miggo Logo
Miggo Vulnerability Database
CVE-2023-0777

CVE-2023-0777: Authentication Bypass in modoboa

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-0777
GHSA ID
GHSA-rfhw-fm4m-52j6
EPSS Score
0.98699%
CWE
CWE-305
Published
2/10/2023
Updated
9/24/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
modoboapip<= 2.0.32.0.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing API throttling mechanisms in authentication-related endpoints. The patch adds throttle_classes to these views (LoginThrottle, PasswordResetRequestThrottle, etc.) and implements a GetThrottleViewsetMixin across critical endpoints. Prior to 2.0.4, these authentication flows lacked rate limiting, enabling brute-force attacks and credential stuffing. The affected functions are clearly identified in the diff as receiving throttling protections in the patched version.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ut**nti**tion *yp*ss *y Prim*ry W**kn*ss in *it*u* r*pository mo*o*o*/mo*o*o* prior to *.*.*.

Reasoning

T** vuln*r**ility st*ms *rom missin* *PI t*rottlin* m****nisms in *ut**nti**tion-r*l*t** *n*points. T** p*t** ***s t*rottl*_*l*ss*s to t**s* vi*ws (Lo*inT*rottl*, P*sswor*R*s*tR*qu*stT*rottl*, *t*.) *n* impl*m*nts * **tT*rottl*Vi*ws*tMixin **ross *ri
CVE-2023-0777: Modoboa Authentication Bypass | Miggo