CVE-2021-22530
EUVD-2021-967228.08.2024, 07:15
A vulnerability identified in NetIQ Advance Authentication that doesn't enforce account lockout when brute force attack is performed on API based login. This issue may lead to user account compromise if successful or may impact server performance. This issue impacts all NetIQ Advance Authentication before 6.3.5.1Enginsight
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| microfocus | netiq_advanced_authentication | 𝑥 < 6.3 |
| microfocus | netiq_advanced_authentication | 6.3 |
| microfocus | netiq_advanced_authentication | 6.3:sp1 |
| microfocus | netiq_advanced_authentication | 6.3:sp2 |
| microfocus | netiq_advanced_authentication | 6.3:sp3 |
| microfocus | netiq_advanced_authentication | 6.3:sp4 |
| microfocus | netiq_advanced_authentication | 6.3:sp4_patch1 |
| microfocus | netiq_advanced_authentication | 6.3:sp5 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-667 - Improper LockingThe software does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors.
- CWE-307 - Improper Restriction of Excessive Authentication AttemptsThe product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it more susceptible to brute force attacks.