Bug 2107990 (CVE-2022-2457) - CVE-2022-2457 Business-central: admin console prone to brute force attack
Summary: CVE-2022-2457 Business-central: admin console prone to brute force attack
Keywords:
Status: NEW
Alias: CVE-2022-2457
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2107981 2107995
TreeView+ depends on / blocked
 
Reported: 2022-07-18 08:05 UTC by Paramvir jindal
Modified: 2023-07-07 08:27 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Business Central in Red Hat Process Automation Manager 7. This flaw allows an attacker to benefit from a brute force attack in the Administration Console. In this issue, the application does not limit the number of unsuccessful login attempts.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description Paramvir jindal 2022-07-18 08:05:41 UTC
IBM pentesting results :
https://docs.google.com/spreadsheets/d/1Iwbhk0lwGoNskLidsY5CXmc5MwKt5VfmJCaX21xyruo


The application does not limit the number of unsuccessful login attempts. Not limiting the
number of unsuccessful login attempts exposes the application to a brute force attack in
which a malicious user tries to gain access to the application by sending a large number of
possible passwords and/or usernames, ie., Dictionary based attacks.
Also, The weakness occurs when the application does not check complexity or minimum
length of the provided passwords. Entire security of application depends on its
authentication mechanism. Weak password requirements allow users to create weak
passwords, susceptible to a variety of attacks.
Passwords are prune to Brute force attacks, an attacker can easily brute force the passwords
if the password policy is weak.
It is observed that There is no Account Lockout implemented for Business Central
Application and New Users can be created by Admin with weak passwords.
Steps to Reproduce:
- Open the Business Central Login page of the application
- Enter wrong credentials.
- Try to do the same activity more than 10 times
- Check account lockout after entering the wrong password more than 10 times
Observations: The account is not locked out after entering the wrong password for more
than 1000 times

Comment 9 lily young 2022-12-19 10:51:24 UTC
The Premier League is a fantastic competition that offers sportsbook fans considerable rewards. However, if you want to be successful, you should follow our Premier League betting advice. The fundamental strategies that will help you succeed in the Premier League include betting on reliable clubs, concentrating on high-scoring activities, anticipating sensations, maintaining composure around conspiracies, and being fair with your spending. You may discover this info here at https://dailycannon.com/2022/05/premier-league-betting-tips/ about premier league betting tips. You can easily add to this list by making your own selections if there are still many more crucial Premier League betting tips to be found. Your knowledge and experience are everything.

Comment 10 EderMilitao 2023-03-03 16:12:16 UTC
End-clients report being satisfied with their interactions with https://outsourcecustomersupport.com/24-7-intouch-review/ team. Outsourcecustomersupport desire to expand their own knowledge and provide comprehensive service empowers them to provide effective solutions in a personable manner.


Note You need to log in before you can comment on or make changes to this bug.