CVE-2024-55008
Published: 07 January 2025
Summary
CVE-2024-55008 is a high-severity Improper Restriction of Excessive Authentication Attempts (CWE-307) vulnerability in Jatos Jatos. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 43.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-7 (Unsuccessful Logon Attempts) and SC-5 (Denial-of-service Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-7 directly addresses improper restriction of excessive authentication attempts by enforcing configurable limits, finite lockout durations, and appropriate lockout scoping to prevent account-level DoS exploitation.
SC-5 implements denial-of-service protections, such as rate limiting on login endpoints, to block repeated failed authentication attempts before they trigger account lockouts.
AC-2 establishes account management processes for timely enabling and disabling of accounts, facilitating rapid recovery from attacker-induced lockouts.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in auth lockout logic directly enables remote unauthenticated DoS via repeated failed logins, mapping to application exploitation for endpoint availability impact.
NVD Description
JATOS 3.9.4 contains a denial-of-service (DoS) vulnerability in the authentication system, where an attacker can prevent legitimate users from accessing their accounts by repeatedly sending multiple failed login attempts. Specifically, by submitting 3 incorrect login attempts every minute, the attacker…
more
can trigger the account lockout mechanism on the account level, effectively locking the user out indefinitely. Since the lockout is applied to the user account and not based on the IP address, any attacker can trigger the lockout on any user account, regardless of their privileges.
Deeper analysisAI
CVE-2024-55008 is a denial-of-service (DoS) vulnerability affecting JATOS version 3.9.4 in its authentication system. The issue stems from the account lockout mechanism, which triggers after three incorrect login attempts every minute, locking the targeted user account indefinitely. This flaw aligns with CWE-307 (Improper Restriction of Excessive Authentication Attempts) and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity due to its network accessibility and impact on availability.
Any unauthenticated attacker can exploit this vulnerability remotely without privileges by repeatedly submitting failed login attempts for a specific user account. Since lockouts are enforced at the account level rather than by IP address, an attacker can target and disable access for any legitimate user, preventing them from logging in and disrupting services indefinitely.
Reference URLs include the JATOS website at http://jatos.com and Medium articles detailing the vulnerability at https://hacking-notes.medium.com/cve-2024-51379-jatos-v3-9-4-account-lockout-denial-of-service-cc970f4ca58f. Security practitioners should consult these advisories for guidance on patches or mitigations.
Details
- CWE(s)