Impact
If a user's username and password is known to an attacker, it is possible to brute force their TOTP.
The following log line will be triggered and can be used to detect this kind of attack:
|
Rails.logger.warn("Failed Login: user=#{user.username} ip=#{request.remote_ip} method=OTP") |
Patches
A fix is in progress
Workarounds
It is possible to limit the availability of this attack by configuring a rate-limit on the login endpoints via Nginx or similar
References
GHSA-chcr-x7hc-8fp8
Impact
If a user's username and password is known to an attacker, it is possible to brute force their TOTP.
The following log line will be triggered and can be used to detect this kind of attack:
EyeDP/app/controllers/concerns/authenticates_with_two_factor.rb
Line 59 in 633e6e0
Patches
A fix is in progress
Workarounds
It is possible to limit the availability of this attack by configuring a rate-limit on the login endpoints via Nginx or similar
References
GHSA-chcr-x7hc-8fp8