How severe is CVE-2021-41171?

This vulnerability has a severity rating of HIGH with a CVSS score of 8.8 out of 10.

What type of vulnerability is CVE-2021-41171?

This is classified as CWE-307, which is a common weakness in software security.

CVE-2021-41171 - HIGH Severity | CVSS 8.8

Vulnerability Description

eLabFTW is an open source electronic lab notebook manager for research teams. In versions of eLabFTW before 4.1.0, it allows attackers to bypass a brute-force protection mechanism by using many different forged PHPSESSID values in HTTP Cookie header. This issue has been addressed by implementing brute force login protection, as recommended by Owasp with Device Cookies. This mechanism will not impact users and will effectively thwart any brute-force attempts at guessing passwords. The only correct way to address this is to upgrade to version 4.1.0. Adding rate limitation upstream of the eLabFTW service is of course a valid option, with or without upgrading.

Related Vulnerabilities

CVE-2009-5140

HIGH

CVSS:8.8(High)

The SIP implementation on the Linksys SPA2102 phone adapter provides hashed credentials in a response to an invalid authentication challenge, which makes it easier for remote attackers to obtain acces...

CWE-3072009

CVE-2019-14351

HIGH

CVSS:8.8(High)

EspoCRM 5.6.4 is vulnerable to user password hash enumeration. A malicious authenticated attacker can brute-force a user password hash by 1 symbol at a time using specially crafted api/v1/User?filterL...

CWE-3072019

CVE-2019-17525

HIGH

CVSS:8.8(High)

The login page on D-Link DIR-615 T1 20.10 devices allows remote attackers to bypass the CAPTCHA protection mechanism and conduct brute-force attacks.

CWE-3072019

CVE-2020-13872

HIGH

CVSS:8.8(High)

Royal TS before 5 has a 0.0.0.0 listener, which makes it easier for attackers to bypass tunnel authentication via a brute-force approach.

CWE-3072020

CVE-2021-35472

HIGH

CVSS:8.8(High)

An issue was discovered in LemonLDAP::NG before 2.0.12. Session cache corruption can lead to authorization bypass or spoofing. By running a loop that makes many authentication attempts, an attacker mi...

CWE-3072021

CVE-2022-37144

HIGH

CVSS:8.8(High)

The PlexTrac platform prior to API version 1.17.0 does not restrict excessive MFA TOTP submission attempts. An unauthenticated remote attacker in possession of a valid username and password can brutef...

CWE-3072022