CVE-2023-46745: 
PHP vulnerability analysis and mitigation

LibreNMS, an auto-discovering PHP/MySQL/SNMP based network monitoring system, was found to contain a vulnerability (CVE-2023-46745) where the login method had no rate limit. The vulnerability was discovered and disclosed in November 2023, affecting all versions prior to 23.11.0. This security flaw impacted the authentication mechanism of LibreNMS, specifically through its GET request authentication method (GitHub Advisory).

The vulnerability stems from the implementation of dual login methods, with one method utilizing GET requests for authentication without proper rate limiting controls. The attack vector is network-based with low attack complexity, requiring no privileges or user interaction. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. The weakness has been categorized as CWE-307 (Improper Restriction of Excessive Authentication Attempts) (GitHub Advisory).

The vulnerability allows attackers to perform brute force attacks against user accounts. Additionally, since the authentication is performed via GET requests, there is a risk that user credentials could be exposed in web server logs, potentially compromising user account security (GitHub Advisory).

The vulnerability has been patched in LibreNMS version 23.11.0. Users are advised to upgrade to this version or later as there are no known workarounds for this vulnerability (NVD).