Django REST framework

Lookup for vulnerabilities affecting packages.

Vulnerability_id VCID-excr-b2pz-jydm

Summary

Silverstripe Brute force bypass on default admin
Default Administrator accounts were not subject to the same brute force protection afforded to other Member accounts. Failed login counts were not logged for default admins resulting in unlimited attempts on the default admin username and password.

Aliases

alias	GHSA-8v6m-7f5v-hhx6

Fixed_packages

url pkg:composer/silverstripe/framework@3.1.19

purl pkg:composer/silverstripe/framework@3.1.19

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1mmc-91gk-r3d3

vulnerability	VCID-36z3-nafq-6kez

vulnerability	VCID-3x46-q9cb-7ubg

vulnerability	VCID-7ek4-6y31-1qcs

vulnerability	VCID-7hxq-cp29-r7dh

vulnerability	VCID-at1s-qxsg-5yfs

vulnerability	VCID-b6nm-cphj-wfgw

vulnerability	VCID-b95v-49p7-fkas

vulnerability	VCID-c437-w2zy-y7c9

vulnerability	VCID-c6bz-jwhm-vkgp

vulnerability	VCID-cmwn-cjff-9qau

vulnerability	VCID-ewg1-jqza-eyez

vulnerability	VCID-gkkp-9fm7-jfaz

vulnerability	VCID-hnme-cqff-c7dp

vulnerability	VCID-mkex-ht2r-cucz

vulnerability	VCID-nute-ndg2-z7ev

vulnerability	VCID-qdwg-f2bx-1bay

vulnerability	VCID-r1eg-dwej-5kau

vulnerability	VCID-t81f-5b8z-hyht

vulnerability	VCID-umhc-fdfh-1fdx

vulnerability	VCID-xg74-3h1h-kqaf

vulnerability	VCID-y8et-m846-2fc6

vulnerability	VCID-z28b-1yrx-1bbn

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@3.1.19

url pkg:composer/silverstripe/framework@3.2.4

purl pkg:composer/silverstripe/framework@3.2.4

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1mmc-91gk-r3d3

vulnerability	VCID-36z3-nafq-6kez

vulnerability	VCID-3x46-q9cb-7ubg

vulnerability	VCID-7ek4-6y31-1qcs

vulnerability	VCID-7hxq-cp29-r7dh

vulnerability	VCID-at1s-qxsg-5yfs

vulnerability	VCID-b6nm-cphj-wfgw

vulnerability	VCID-b95v-49p7-fkas

vulnerability	VCID-c437-w2zy-y7c9

vulnerability	VCID-c6bz-jwhm-vkgp

vulnerability	VCID-cmwn-cjff-9qau

vulnerability	VCID-ewg1-jqza-eyez

vulnerability	VCID-gkkp-9fm7-jfaz

vulnerability	VCID-hnme-cqff-c7dp

vulnerability	VCID-mkex-ht2r-cucz

vulnerability	VCID-nute-ndg2-z7ev

vulnerability	VCID-qdwg-f2bx-1bay

vulnerability	VCID-r1eg-dwej-5kau

vulnerability	VCID-t81f-5b8z-hyht

vulnerability	VCID-umhc-fdfh-1fdx

vulnerability	VCID-xg74-3h1h-kqaf

vulnerability	VCID-y8et-m846-2fc6

vulnerability	VCID-z28b-1yrx-1bbn

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@3.2.4

url pkg:composer/silverstripe/framework@3.3.2

purl pkg:composer/silverstripe/framework@3.3.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1mmc-91gk-r3d3

vulnerability	VCID-36z3-nafq-6kez

vulnerability	VCID-3svb-wudn-aybz

vulnerability	VCID-3x46-q9cb-7ubg

vulnerability	VCID-7ek4-6y31-1qcs

vulnerability	VCID-7hxq-cp29-r7dh

vulnerability	VCID-at1s-qxsg-5yfs

vulnerability	VCID-b6nm-cphj-wfgw

vulnerability	VCID-b95v-49p7-fkas

vulnerability	VCID-c437-w2zy-y7c9

vulnerability	VCID-c6bz-jwhm-vkgp

vulnerability	VCID-cmwn-cjff-9qau

vulnerability	VCID-ewg1-jqza-eyez

vulnerability	VCID-f4hv-79km-3ygt

vulnerability	VCID-gkkp-9fm7-jfaz

vulnerability	VCID-hnme-cqff-c7dp

vulnerability	VCID-mkex-ht2r-cucz

vulnerability	VCID-nute-ndg2-z7ev

vulnerability	VCID-qdwg-f2bx-1bay

vulnerability	VCID-r1eg-dwej-5kau

vulnerability	VCID-t81f-5b8z-hyht

vulnerability	VCID-umhc-fdfh-1fdx

vulnerability	VCID-xg74-3h1h-kqaf

vulnerability	VCID-y8et-m846-2fc6

vulnerability	VCID-z28b-1yrx-1bbn

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@3.3.2

Affected_packages

url pkg:composer/silverstripe/framework@3.1.18

purl pkg:composer/silverstripe/framework@3.1.18

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1mmc-91gk-r3d3

vulnerability	VCID-1uhv-fetz-j7fd

vulnerability	VCID-36z3-nafq-6kez

vulnerability	VCID-3x46-q9cb-7ubg

vulnerability	VCID-7ek4-6y31-1qcs

vulnerability	VCID-7hxq-cp29-r7dh

vulnerability	VCID-9ugf-duna-xfgy

vulnerability	VCID-at1s-qxsg-5yfs

vulnerability	VCID-b6nm-cphj-wfgw

vulnerability	VCID-b95v-49p7-fkas

vulnerability	VCID-c437-w2zy-y7c9

vulnerability	VCID-c6bz-jwhm-vkgp

vulnerability	VCID-cmwn-cjff-9qau

vulnerability	VCID-evh4-xq48-4fa6

vulnerability	VCID-ewg1-jqza-eyez

vulnerability	VCID-excr-b2pz-jydm

vulnerability	VCID-ggbg-8mtc-hudc

vulnerability	VCID-gkkp-9fm7-jfaz

vulnerability	VCID-hnme-cqff-c7dp

vulnerability	VCID-m5rs-qptc-vued

vulnerability	VCID-mkex-ht2r-cucz

vulnerability	VCID-nute-ndg2-z7ev

vulnerability	VCID-q939-fszs-wfdp

vulnerability	VCID-qdwg-f2bx-1bay

vulnerability	VCID-r1eg-dwej-5kau

vulnerability	VCID-t81f-5b8z-hyht

vulnerability	VCID-umhc-fdfh-1fdx

vulnerability	VCID-v9ch-up34-nuab

vulnerability	VCID-xg74-3h1h-kqaf

vulnerability	VCID-y8et-m846-2fc6

vulnerability	VCID-z28b-1yrx-1bbn

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@3.1.18

url pkg:composer/silverstripe/framework@3.2.3

purl pkg:composer/silverstripe/framework@3.2.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1mmc-91gk-r3d3

vulnerability	VCID-1uhv-fetz-j7fd

vulnerability	VCID-36z3-nafq-6kez

vulnerability	VCID-3x46-q9cb-7ubg

vulnerability	VCID-7ek4-6y31-1qcs

vulnerability	VCID-7hxq-cp29-r7dh

vulnerability	VCID-9ugf-duna-xfgy

vulnerability	VCID-at1s-qxsg-5yfs

vulnerability	VCID-b6nm-cphj-wfgw

vulnerability	VCID-b95v-49p7-fkas

vulnerability	VCID-c437-w2zy-y7c9

vulnerability	VCID-c6bz-jwhm-vkgp

vulnerability	VCID-cmwn-cjff-9qau

vulnerability	VCID-evh4-xq48-4fa6

vulnerability	VCID-ewg1-jqza-eyez

vulnerability	VCID-excr-b2pz-jydm

vulnerability	VCID-ggbg-8mtc-hudc

vulnerability	VCID-gkkp-9fm7-jfaz

vulnerability	VCID-hnme-cqff-c7dp

vulnerability	VCID-m5rs-qptc-vued

vulnerability	VCID-mkex-ht2r-cucz

vulnerability	VCID-nute-ndg2-z7ev

vulnerability	VCID-q939-fszs-wfdp

vulnerability	VCID-qdwg-f2bx-1bay

vulnerability	VCID-r1eg-dwej-5kau

vulnerability	VCID-t81f-5b8z-hyht

vulnerability	VCID-umhc-fdfh-1fdx

vulnerability	VCID-v9ch-up34-nuab

vulnerability	VCID-xg74-3h1h-kqaf

vulnerability	VCID-y8et-m846-2fc6

vulnerability	VCID-z28b-1yrx-1bbn

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@3.2.3

url pkg:composer/silverstripe/framework@3.3.1

purl pkg:composer/silverstripe/framework@3.3.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1mmc-91gk-r3d3

vulnerability	VCID-1uhv-fetz-j7fd

vulnerability	VCID-36z3-nafq-6kez

vulnerability	VCID-3svb-wudn-aybz

vulnerability	VCID-3x46-q9cb-7ubg

vulnerability	VCID-7ek4-6y31-1qcs

vulnerability	VCID-7hxq-cp29-r7dh

vulnerability	VCID-9ugf-duna-xfgy

vulnerability	VCID-at1s-qxsg-5yfs

vulnerability	VCID-b6nm-cphj-wfgw

vulnerability	VCID-b95v-49p7-fkas

vulnerability	VCID-c437-w2zy-y7c9

vulnerability	VCID-c6bz-jwhm-vkgp

vulnerability	VCID-cmwn-cjff-9qau

vulnerability	VCID-evh4-xq48-4fa6

vulnerability	VCID-ewg1-jqza-eyez

vulnerability	VCID-excr-b2pz-jydm

vulnerability	VCID-ggbg-8mtc-hudc

vulnerability	VCID-gkkp-9fm7-jfaz

vulnerability	VCID-hnme-cqff-c7dp

vulnerability	VCID-m5rs-qptc-vued

vulnerability	VCID-mkex-ht2r-cucz

vulnerability	VCID-nute-ndg2-z7ev

vulnerability	VCID-q939-fszs-wfdp

vulnerability	VCID-qdwg-f2bx-1bay

vulnerability	VCID-r1eg-dwej-5kau

vulnerability	VCID-t81f-5b8z-hyht

vulnerability	VCID-umhc-fdfh-1fdx

vulnerability	VCID-v9ch-up34-nuab

vulnerability	VCID-xg74-3h1h-kqaf

vulnerability	VCID-y8et-m846-2fc6

vulnerability	VCID-z28b-1yrx-1bbn

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/framework@3.3.1

References

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/SS-2016-005-1.yaml

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/SS-2016-005-1.yaml

reference_url

https://github.com/silverstripe/silverstripe-framework

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/silverstripe/silverstripe-framework

reference_url

https://github.com/silverstripe/silverstripe-framework/commit/f32c893546340c8c279fd1ab6d4269e9d6539bc2

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/silverstripe/silverstripe-framework/commit/f32c893546340c8c279fd1ab6d4269e9d6539bc2

reference_url

https://www.silverstripe.org/download/security-releases/ss-2016-005

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://www.silverstripe.org/download/security-releases/ss-2016-005

reference_url	https://github.com/advisories/GHSA-8v6m-7f5v-hhx6
reference_id	GHSA-8v6m-7f5v-hhx6
reference_type
scores
url	https://github.com/advisories/GHSA-8v6m-7f5v-hhx6

Weaknesses

cwe_id	307
name	Improper Restriction of Excessive Authentication Attempts
description	The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it more susceptible to brute force attacks.

cwe_id	937
name	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.

cwe_id	1035
name	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.

Exploits

Severity_range_score 9.0 - 10.0

Exploitability 0.5

Weighted_severity 9.0

Risk_score 4.5

Resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-excr-b2pz-jydm

Vulnerability Instance