CVE-2026-44596:
Java Análisis y mitigación de vulnerabilidades
Summary
The authentication endpoint POST /auth/token in yamcs-core lacks any form of rate limiting, account lockout, or failed attempt throttling. As a result, an unauthenticated remote attacker can perform unlimited password guessing attempts against any user account.
This missing rate limiting vulnerability (CWE-307) significantly increases the risk of successful brute-force attacks.
Root Cause
File: yamcs-core/src/main/java/org/yamcs/http/auth/AuthHandler.java
POST /auth/token has no rate limiting, no lockout after failed attempts, and no CAPTCHA. The handler processes unlimited authentication requests without any throttling mechanism:
// AuthHandler.java — handleToken()
// No throttle, no failed attempt counter, no lockout
private void handleToken(HandlerContext ctx) {
...
getSecurityStore().login(token).whenComplete((info, err) -> {
// Directly attempts authentication with no rate check
});
}This is absent by default — the official quickstart and documentation contain no guidance on configuring rate limiting.
Impact
An attacker can make unlimited authentication attempts against any account. This enables efficient brute-force attacks against any account.
Proof of Concept
# 20 attempts — zero rate limiting
for i in $(seq 1 20); do
curl -s -o /dev/null -w "Attempt $i: HTTP %{http_code}\n" \
-X POST "http://TARGET:8090/auth/token" \
-d "grant_type=password&username=operator&password=operator12$i"
done
# All return HTTP 401 — no HTTP 429 everConfirmed: 20 attempts in 0.07 seconds, no rate limiting enforced.
Fix
Implement DRF-style throttling on /auth/token:
// Track failed attempts per IP
private static final Cache<String, Integer> FAILED_ATTEMPTS =
CacheBuilder.newBuilder().expireAfterWrite(15, TimeUnit.MINUTES).build();
private static final int MAX_ATTEMPTS = 10;
private void handleToken(HandlerContext ctx) {
String ip = ctx.getRemoteAddress();
int attempts = Optional.ofNullable(FAILED_ATTEMPTS.getIfPresent(ip)).orElse(0);
if (attempts >= MAX_ATTEMPTS) {
throw new TooManyRequestsException("Rate limit exceeded");
}
// ... existing auth logic
// On failure: FAILED_ATTEMPTS.put(ip, attempts + 1)
}Fuente: NVD
Relacionado Java Vulnerabilidades:
Evaluación gratuita de vulnerabilidades
Compare su postura de seguridad en la nube
Evalúe sus prácticas de seguridad en la nube en 9 dominios de seguridad para comparar su nivel de riesgo e identificar brechas en sus defensas.
Recursos adicionales de Wiz
Obtén una demostración personalizada
¿Listo para ver a Wiz en acción?
"La mejor experiencia de usuario que he visto en mi vida, proporciona una visibilidad completa de las cargas de trabajo en la nube."
"Wiz proporciona un panel único para ver lo que ocurre en nuestros entornos en la nube."
"Sabemos que si Wiz identifica algo como crítico, en realidad lo es."