Search criteria
Related vulnerabilities
CVE-2024-45404 (GCVE-0-2024-45404)
Vulnerability from cvelistv5 – Published: 2024-12-11 22:01 – Updated: 2024-12-12 16:36
VLAI
Title
OpenCTI's lack of Rate Limit lead to OTP brute forcing
Summary
OpenCTI is an open-source cyber threat intelligence platform. In versions below 6.2.18, because the function to limit the rate of OTP does not exist, an attacker with valid credentials or a malicious user who commits internal fraud can break through the two-factor authentication and hijack the account. This is because the otpLogin mutation does not implement One Time Password rate limiting. As of time of publication, it is unknown whether a patch is available.
Severity
8.1 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-287 - Improper Authentication
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/OpenCTI-Platform/opencti/secur… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| OpenCTI-Platform | opencti |
Affected:
< 6.2.8
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45404",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-12T16:35:44.190070Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-12T16:36:11.908Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/OpenCTI-Platform/opencti/security/advisories/GHSA-hg56-r6hh-56j7"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "opencti",
"vendor": "OpenCTI-Platform",
"versions": [
{
"status": "affected",
"version": "\u003c 6.2.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenCTI is an open-source cyber threat intelligence platform. In versions below 6.2.18, because the function to limit the rate of OTP does not exist, an attacker with valid credentials or a malicious user who commits internal fraud can break through the two-factor authentication and hijack the account. This is because the otpLogin mutation does not implement One Time Password rate limiting. As of time of publication, it is unknown whether a patch is available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-11T22:01:46.667Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/OpenCTI-Platform/opencti/security/advisories/GHSA-hg56-r6hh-56j7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/OpenCTI-Platform/opencti/security/advisories/GHSA-hg56-r6hh-56j7"
}
],
"source": {
"advisory": "GHSA-hg56-r6hh-56j7",
"discovery": "UNKNOWN"
},
"title": "OpenCTI\u0027s lack of Rate Limit lead to OTP brute forcing"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-45404",
"datePublished": "2024-12-11T22:01:46.667Z",
"dateReserved": "2024-08-28T20:21:32.804Z",
"dateUpdated": "2024-12-12T16:36:11.908Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
PYSEC-2024-297
Vulnerability from pysec - Published: 2024-12-12 02:02 - Updated: 2026-05-20 09:19
VLAI
Details
OpenCTI is an open-source cyber threat intelligence platform. In versions below 6.2.18, because the function to limit the rate of OTP does not exist, an attacker with valid credentials or a malicious user who commits internal fraud can break through the two-factor authentication and hijack the account. This is because the otpLogin mutation does not implement One Time Password rate limiting. As of time of publication, it is unknown whether a patch is available.
Severity
8.1 (High)
Impacted products
| Name | purl | pycti | pkg:pypi/pycti |
|---|
Aliases
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "pycti",
"purl": "pkg:pypi/pycti"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.2.18"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.2.1",
"1.2.11",
"1.2.12",
"1.2.13",
"1.2.14",
"1.2.15",
"1.2.2",
"1.2.4",
"1.2.9",
"2.0.0",
"2.0.1",
"2.0.2",
"2.0.3",
"2.1.10",
"2.1.11",
"2.1.12",
"2.1.13",
"2.1.3",
"2.1.4",
"2.1.5",
"2.1.6",
"2.1.7",
"2.1.8",
"2.1.9",
"3.0.0",
"3.0.1",
"3.0.2",
"3.0.3",
"3.1.0",
"3.1.1",
"3.1.2",
"3.2.0",
"3.2.1",
"3.2.2",
"3.2.3",
"3.2.4",
"3.2.5",
"3.2.6",
"3.2.7",
"3.3.0",
"3.3.1",
"3.3.2",
"3.3.3",
"4.0.0",
"4.0.1",
"4.0.2",
"4.0.3",
"4.0.4",
"4.0.5",
"4.0.6",
"4.0.7",
"4.1.0",
"4.1.1",
"4.1.2",
"4.2.1",
"4.2.2",
"4.2.3",
"4.2.4",
"4.3.0",
"4.3.1",
"4.3.2",
"4.3.3",
"4.3.4",
"4.3.5",
"4.4.0",
"4.4.1",
"4.4.2",
"4.4.3",
"4.5.0",
"4.5.1",
"4.5.2",
"4.5.3",
"4.5.4",
"4.5.5",
"5.0.0",
"5.0.1",
"5.0.2",
"5.0.3",
"5.1.0",
"5.1.1",
"5.1.2",
"5.1.3",
"5.1.4",
"5.10.0",
"5.10.1",
"5.10.2",
"5.10.3",
"5.11.0",
"5.11.1",
"5.11.10",
"5.11.11",
"5.11.12",
"5.11.13",
"5.11.14",
"5.11.2",
"5.11.3",
"5.11.4",
"5.11.5",
"5.11.6",
"5.11.7",
"5.11.8",
"5.11.9",
"5.12.0",
"5.12.1",
"5.12.10",
"5.12.11",
"5.12.12",
"5.12.13",
"5.12.14",
"5.12.15",
"5.12.16",
"5.12.17",
"5.12.18",
"5.12.19",
"5.12.2",
"5.12.20",
"5.12.21",
"5.12.22",
"5.12.23",
"5.12.24",
"5.12.25",
"5.12.26",
"5.12.27",
"5.12.28",
"5.12.29",
"5.12.3",
"5.12.30",
"5.12.31",
"5.12.32",
"5.12.33",
"5.12.4",
"5.12.5",
"5.12.6",
"5.12.7",
"5.12.8",
"5.12.9",
"5.2.0",
"5.2.1",
"5.2.2",
"5.2.3",
"5.2.4",
"5.3.0",
"5.3.1",
"5.3.10",
"5.3.11",
"5.3.12",
"5.3.13",
"5.3.14",
"5.3.15",
"5.3.16",
"5.3.17",
"5.3.2",
"5.3.3",
"5.3.4",
"5.3.5",
"5.3.6",
"5.3.7",
"5.3.8",
"5.3.9",
"5.3.post5310",
"5.3.post5311",
"5.3.post5312",
"5.3.post5314",
"5.3.post5315",
"5.3.post5316",
"5.3.post5317",
"5.3.post5318",
"5.4.0",
"5.4.1",
"5.5.0",
"5.5.1",
"5.5.2",
"5.5.3",
"5.5.4",
"5.5.5",
"5.5.6",
"5.5.post551",
"5.5.post552",
"5.5.post553",
"5.5.post554",
"5.5.post555",
"5.5.post556",
"5.6.0",
"5.6.1",
"5.6.2",
"5.6.post560",
"5.6.post561",
"5.6.post562",
"5.7.0",
"5.7.1",
"5.7.2",
"5.7.3",
"5.7.4",
"5.7.5",
"5.7.6",
"5.7.post570",
"5.7.post571",
"5.7.post572",
"5.7.post573",
"5.7.post574",
"5.7.post575",
"5.7.post576",
"5.8.0",
"5.8.1",
"5.8.2",
"5.8.3",
"5.8.4",
"5.8.5",
"5.8.6",
"5.8.7",
"5.9.0",
"5.9.1",
"5.9.2",
"5.9.3",
"5.9.4",
"5.9.5",
"5.9.6",
"6.0.0",
"6.0.1",
"6.0.10",
"6.0.2",
"6.0.3",
"6.0.4",
"6.0.5",
"6.0.6",
"6.0.7",
"6.0.8",
"6.0.9",
"6.1.0",
"6.1.1",
"6.1.10",
"6.1.11",
"6.1.12",
"6.1.13",
"6.1.2",
"6.1.3",
"6.1.4",
"6.1.5",
"6.1.6",
"6.1.7",
"6.1.8",
"6.1.9",
"6.2.0",
"6.2.1",
"6.2.10",
"6.2.11",
"6.2.12",
"6.2.13",
"6.2.14",
"6.2.15",
"6.2.16",
"6.2.17",
"6.2.2",
"6.2.3",
"6.2.4",
"6.2.5",
"6.2.6",
"6.2.7",
"6.2.8",
"6.2.9"
]
}
],
"aliases": [
"CVE-2024-45404",
"GHSA-hg56-r6hh-56j7"
],
"details": "OpenCTI is an open-source cyber threat intelligence platform. In versions below 6.2.18, because the function to limit the rate of OTP does not exist, an attacker with valid credentials or a malicious user who commits internal fraud can break through the two-factor authentication and hijack the account. This is because the otpLogin mutation does not implement One Time Password rate limiting. As of time of publication, it is unknown whether a patch is available.",
"id": "PYSEC-2024-297",
"modified": "2026-05-20T09:19:14.036718Z",
"published": "2024-12-12T02:02:09.530Z",
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/OpenCTI-Platform/opencti/security/advisories/GHSA-hg56-r6hh-56j7"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}