2107990 – (CVE-2022-2457) CVE-2022-2457 Business-central: admin console prone to brute force attack

Bug 2107990 (CVE-2022-2457) - CVE-2022-2457 Business-central: admin console prone to brute force attack

Summary: CVE-2022-2457 Business-central: admin console prone to brute force attack

Keywords:
Status:	NEW
Alias:	CVE-2022-2457
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2107981 2107995
TreeView+	depends on / blocked

Reported:	2022-07-18 08:05 UTC by Paramvir jindal
Modified:	2023-07-07 08:27 UTC (History)
CC List:	10 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Paramvir jindal 2022-07-18 08:05:41 UTC

IBM pentesting results :
https://docs.google.com/spreadsheets/d/1Iwbhk0lwGoNskLidsY5CXmc5MwKt5VfmJCaX21xyruo


The application does not limit the number of unsuccessful login attempts. Not limiting the
number of unsuccessful login attempts exposes the application to a brute force attack in
which a malicious user tries to gain access to the application by sending a large number of
possible passwords and/or usernames, ie., Dictionary based attacks.
Also, The weakness occurs when the application does not check complexity or minimum
length of the provided passwords. Entire security of application depends on its
authentication mechanism. Weak password requirements allow users to create weak
passwords, susceptible to a variety of attacks.
Passwords are prune to Brute force attacks, an attacker can easily brute force the passwords
if the password policy is weak.
It is observed that There is no Account Lockout implemented for Business Central
Application and New Users can be created by Admin with weak passwords.
Steps to Reproduce:
- Open the Business Central Login page of the application
- Enter wrong credentials.
- Try to do the same activity more than 10 times
- Check account lockout after entering the wrong password more than 10 times
Observations: The account is not locked out after entering the wrong password for more
than 1000 times

Comment 9 lily young 2022-12-19 10:51:24 UTC Comment hidden (spam)

The Premier League is a fantastic competition that offers sportsbook fans considerable rewards. However, if you want to be successful, you should follow our Premier League betting advice. The fundamental strategies that will help you succeed in the Premier League include betting on reliable clubs, concentrating on high-scoring activities, anticipating sensations, maintaining composure around conspiracies, and being fair with your spending. You may discover this info here at https://dailycannon.com/2022/05/premier-league-betting-tips/ about premier league betting tips. You can easily add to this list by making your own selections if there are still many more crucial Premier League betting tips to be found. Your knowledge and experience are everything.

Comment 10 EderMilitao 2023-03-03 16:12:16 UTC Comment hidden (spam)

End-clients report being satisfied with their interactions with https://outsourcecustomersupport.com/24-7-intouch-review/ team. Outsourcecustomersupport desire to expand their own knowledge and provide comprehensive service empowers them to provide effective solutions in a personable manner.

Note You need to log in before you can comment on or make changes to this bug.