sorcery 0.4.2
Improper Restriction of Excessive Authentication Attempts in Sorcery
high severity CVE-2020-11052>= 0.15.0
Impact
Brute force vulnerability when using password authentication via Sorcery. The brute force protection submodule will prevent a brute force attack for the defined lockout period, but once expired protection will not be re-enabled until a user or malicious actor logs in successfully. This does not affect users that do not use the built-in brute force protection submodule, nor users that use permanent account lockout.
Patches
Patched as of version 0.15.0
.
Workarounds
Currently no workarounds, other than monkey patching the authenticate method
provided by Sorcery or upgrading to version 0.15.0
.
No officially reported memory leakage issues detected.
This gem version does not have any officially reported memory leaked issues.
Gem version without a license.
Unless a license that specifies otherwise is included, nobody can use, copy, distribute, or modify this library without being at risk of take-downs, shake-downs, or litigation.
This gem version is available.
This gem version has not been yanked and is still available for usage.