| Title | Windmill Labs Windmill CE 1.380.0 Excessive Iteration |
|---|
| Description | Lack of rate limiting could lead to account takeover.
Details
By knowing the HTTP request schema, an attacker can fetch the https://domain.com/api/workspaces/users URI, and Brute force the 32 character token (as specified in the cookie crate in the back-end code). They will anywhere between 3 days to infinity (or indefinite if they choose to brute force tokens created by users without expiry date) to do so to find a valid credential. Lack of rate limiting may allow an attacker to brute force a valid session token and gain unauthorized access to the account. |
|---|
| Source | ⚠️ https://github.com/windmill-labs/windmill/commit/acfe7786152f036f2476f93ab5536571514fa9e3 |
|---|
| User | DeepCove (UID 60341) |
|---|
| Submission | 09/03/2024 01:30 PM (10 months ago) |
|---|
| Moderation | 09/05/2024 07:19 AM (2 days later) |
|---|
| Status | Accepted |
|---|
| VulDB Entry | 276630 [Windmill 1.380.0 HTTP Request users.rs excessive authentication] |
|---|
| Points | 20 |
|---|