OpenProject: 2FA OTP Verification Missing Rate Limiting

OpenProject is an open-source project management application. In versions prior to 17.3.0, 2FA OTP verification in the confirm_otp action of the two_factor_authentication module has no rate limiting, lockout mechanism, or failed-attempt tracking. The existing brute_force_block_after_failed_logins setting only counts password login failures and does not apply to the 2FA verification stage, and neither the fail_login nor stage_failure methods increment any counter, lock the account, or add any delay. With the default TOTP drift window of ±60 seconds allowing approximately 5 valid codes at any time, an attacker who knows a user's password can brute-force the 6-digit TOTP code at roughly 5-10 attempts per second with an expected completion time of approximately 11 hours. The same vulnerability applies to backup code verification. This effectively allows complete 2FA bypass for any account where the password is known. This issue has been fixed in version 17.3.0.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

过多认证尝试的限制不恰当

OpenProject 安全漏洞

OpenProject是OpenProject开源的一个基于Web的项目管理软件。 OpenProject 17.3.0之前版本存在安全漏洞，该漏洞源于two_factor_authentication模块的confirm_otp操作中2FA OTP验证缺少速率限制、锁定机制或失败尝试跟踪，可能导致完全绕过双因素认证。

N/A

N/A