Improper Restriction of Excessive Authentication Attempts in modoboa/modoboa-installer
Description
Improper Restriction of Excessive Authentication Attempts in GitHub repository modoboa/modoboa-installer prior to 2.0.4.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Modoboa Installer prior to 2.0.4 lacks rate limiting, allowing brute-force attacks on authentication.
Vulnerability
CVE-2023-0860 is an improper restriction of excessive authentication attempts in the Modoboa Installer (modoboa-installer) before version 2.0.4. The installer did not enforce any mechanism to limit the number of failed login attempts, making it susceptible to brute-force password guessing attacks [1].
Exploitation
An attacker can exploit this vulnerability by sending a high volume of authentication requests to the Modoboa service without being blocked. No prior authentication or special network position is required; the attacker only needs network access to the Modoboa instance [1][2].
Impact
Successful exploitation allows an attacker to systematically guess user credentials, potentially gaining unauthorized access to email accounts and administrative interfaces. This can lead to data breaches, email compromise, and further lateral movement within the hosted environment [1].
Mitigation
The vulnerability is fixed in modoboa-installer version 2.0.4, which integrates Fail2ban to automatically ban IP addresses after a configurable number of failed attempts [2]. Users should upgrade to the latest version to protect against brute-force attacks.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
modoboaPyPI | < 2.0.4 | 2.0.4 |
Affected products
2- modoboa/modoboa/modoboa-installerv5Range: unspecified
Patches
163d92b73f3daMerge pull request #474 from modoboa/security/fail2ban
5 files changed · +61 −0
modoboa_installer/config_dict_template.py+25 −0 modified@@ -118,6 +118,31 @@ def is_email(user_input): } ] }, + { + "name": "fail2ban", + "values": [ + { + "option": "enabled", + "default": "true", + }, + { + "option": "config_dir", + "default": "/etc/fail2ban" + }, + { + "option": "max_retry", + "default": "20" + }, + { + "option": "ban_time", + "default": "3600" + }, + { + "option": "find_time", + "default": "30" + }, + ] + }, { "name": "modoboa", "values": [
modoboa_installer/scripts/fail2ban.py+17 −0 added@@ -0,0 +1,17 @@ +"""fail2ban related functions.""" + +from . import base + + +class Fail2ban(base.Installer): + """Fail2ban installer.""" + + appname = "fail2ban" + packages = { + "deb": ["fail2ban"], + "rpm": ["fail2ban"] + } + config_files = [ + "jail.d/modoboa.conf", + "filter.d/modoboa-auth.conf", + ]
modoboa_installer/scripts/files/fail2ban/filter.d/modoboa-auth.conf.tpl+9 −0 added@@ -0,0 +1,9 @@ +# Fail2Ban filter Modoboa authentication + +[INCLUDES] + +before = common.conf + +[Definition] + +failregex = modoboa\.auth: WARNING Failed connection attempt from \'<HOST>\' as user \'.*?\'$
modoboa_installer/scripts/files/fail2ban/jail.d/modoboa.conf.tpl+9 −0 added@@ -0,0 +1,9 @@ +[modoboa] +enabled = true +port = http,https +protocol = tcp +filter = modoboa-auth +maxretry = %max_retry +bantime = %ban_time +findtime = %find_time +logpath = /var/log/auth.log
run.py+1 −0 modified@@ -22,6 +22,7 @@ PRIMARY_APPS = [ "amavis", + "fail2ban", "modoboa", "automx", "radicale",
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.