sorcery 0.8.1
Improper Restriction of Excessive Authentication Attempts in Sorcery
high severity CVE-2020-11052>= 0.15.0
Impact
Brute force vulnerability when using password authentication via Sorcery. The brute force protection submodule will prevent a brute force attack for the defined lockout period, but once expired protection will not be re-enabled until a user or malicious actor logs in successfully. This does not affect users that do not use the built-in brute force protection submodule, nor users that use permanent account lockout.
Patches
Patched as of version 0.15.0
.
Workarounds
Currently no workarounds, other than monkey patching the authenticate method
provided by Sorcery or upgrading to version 0.15.0
.
No officially reported memory leakage issues detected.
This gem version does not have any officially reported memory leaked issues.
No license issues detected.
This gem version has a license in the gemspec.
This gem version is available.
This gem version has not been yanked and is still available for usage.