CVE-2023-26756

The login page of Revive Adserver v5.4.1 is vulnerable to brute force attacks. NOTE: The vendors position is that this is effectively mitigated by rate limits and password-quality features.

Weakness

The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.

Affected Software

Potential Mitigations

• Common protection mechanisms include:

• Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482].

• Consider using libraries with authentication capabilities such as OpenSSL or the ESAPI Authenticator. [REF-45]

Related Attack Patterns

• https://cwe.mitre.org/data/definitions/16.html
• https://cwe.mitre.org/data/definitions/49.html
• https://cwe.mitre.org/data/definitions/560.html
• https://cwe.mitre.org/data/definitions/565.html
• https://cwe.mitre.org/data/definitions/600.html
• https://cwe.mitre.org/data/definitions/652.html
• https://cwe.mitre.org/data/definitions/653.html

References

• http://seclists.org/fulldisclosure/2024/Apr/27
• https://googleinformationsworld.blogspot.com/2023/04/revive-adserver-541-vulnerable-to-brute.html
• https://www.esecforte.com/login-page-brute-force-attack/
• https://www.revive-adserver.com/security/response-to-cve-2023-26756/
• http://seclists.org/fulldisclosure/2024/Apr/27
• https://googleinformationsworld.blogspot.com/2023/04/revive-adserver-541-vulnerable-to-brute.html
• https://www.esecforte.com/login-page-brute-force-attack/
• https://www.revive-adserver.com/security/response-to-cve-2023-26756/