Improper Restriction of Excessive Authentication Attempts in kareadita/kavita

Vulnerability

In Kavita versions before 0.6.0.3, the login endpoint (/api/account/login) did not enforce any rate limiting on authentication attempts. Additionally, the server returned distinct error messages for invalid usernames and invalid passwords, allowing an attacker to enumerate valid usernames. The vulnerable code is in the Login method of AccountController.

Exploitation

An attacker can send a high volume of login requests to the endpoint without being throttled. By analyzing the error responses, the attacker can first determine which usernames exist (e.g., "Invalid username" vs. "Your credentials are not correct"). Once valid usernames are identified, the attacker can continue brute-forcing passwords for those accounts without any restriction on the number of attempts.

Impact

Successful brute-force attacks lead to unauthorized access to user accounts. An attacker can then read, modify, or delete data accessible to the compromised account, potentially escalating privileges if the account has administrative roles.

Mitigation

The vulnerability is fixed in Kavita version 0.6.0.3, released on November 11, 2022. The fix includes generic error messages for all login failures and implements rate limiting on authentication attempts [1]. Users should upgrade to 0.6.0.3 or later. No workaround is available for earlier versions.