Weak Authentication Mechanisms in Koel by Anto105
CVE-2021-33563

7.5HIGH

Key Information:

Vendor: Koel
Status: Koel
Vendor: CVE Published:; 24 May 2021

What is CVE-2021-33563?

Koel prior to version 5.1.4 presents multiple vulnerabilities related to authentication processes. Specifically, it lacks login throttling mechanisms, fails to enforce a robust password strength policy, and inadvertently reveals whether a failed login attempt was made with a valid username. These deficiencies can significantly increase the risk of brute-force attacks, allowing malicious actors to exploit the system more easily. Users are strongly encouraged to update to the latest version to mitigate these risks.

References

https://huntr.dev/bounties/1-other-koel/koel/

x_refsource_MISC

https://github.com/koel/koel/releases/tag/v5.1.4

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 24, 2021
Vulnerability Reserved
May 24, 2021

CVE-2021-33563 Data

JSON