CVE-2020-11052
HIGHSorcery < 0.15.0 - Brute Force Protection Bypass via Expired Lockout
Title source: llmDescription
In Sorcery before 0.15.0, there is a brute force vulnerability when using password authentication via Sorcery. The brute force protection submodule will prevent a brute force attack for the defined lockout period, but once expired, protection will not be re-enabled until a user or malicious actor logs in successfully. This does not affect users that do not use the built-in brute force protection submodule, nor users that use permanent account lockout. This has been patched in 0.15.0.
References (4)
Core 4
Core References
Third Party Advisory x_refsource_confirm
https://github.com/Sorcery/sorcery/security/advisories/GHSA-jc8m-cxhj-668x
Third Party Advisory x_refsource_misc
https://github.com/Sorcery/sorcery/issues/231
Patch, Third Party Advisory x_refsource_misc
https://github.com/Sorcery/sorcery/pull/235
Patch, Third Party Advisory x_refsource_misc
https://github.com/Sorcery/sorcery/commit/0f116d223826895a73b12492f17486e5d54ab7a7
Scores
CVSS v3
8.3
EPSS
0.0053
EPSS Percentile
67.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
Details
CWE
CWE-307
Status
published
Products (2)
rubygems/sorcery
0 - 0.15.0RubyGems
sorcery_project/sorcery
< 0.15.0
Published
May 07, 2020
Tracked Since
Feb 18, 2026