CVE-2024-57603: 
vulnerability analysis and mitigation

An issue in MaysWind ezBookkeeping 0.7.0 was discovered that allows a remote attacker to escalate privileges through the lack of rate limiting on authentication endpoints. The vulnerability was discovered on December 27, 2024, and was assigned CVE-2024-57603. The affected software is ezBookkeeping version 0.7.0, an open-source bookkeeping application (GitHub Issue, Vulnerability Report).

The vulnerability exists in the login endpoint at /api/authorize.json which lacks rate limiting protection and CAPTCHA mechanisms. When an incorrect password is submitted, the application returns an error code 201002 with a message indicating invalid credentials, allowing attackers to programmatically attempt multiple login attempts without restrictions. The vulnerability has been assigned a CVSS score of 8.5, indicating high severity (Vulnerability Report).

The vulnerability allows attackers to perform unlimited authentication attempts, potentially leading to unauthorized access through credential brute-forcing. Additionally, the issue extends to backup code verification for two-factor authentication, creating a complete authentication bypass chain that could result in full account takeover, including the ability to change email addresses and disable security features (GitHub Issue).

Recommended mitigations include implementing rate limiting on login attempts (suggested 5 attempts per minute), adding account lockout mechanisms after 3-5 failed attempts, implementing CAPTCHA challenges after multiple failed attempts, enforcing stronger password policies, and requiring email verification for critical account changes. Additionally, implementing proper token management and requiring re-authentication for sensitive operations is advised (GitHub Issue, Vulnerability Report).