CVE-2024-8462: 
vulnerability analysis and mitigation

A vulnerability was discovered in Windmill version 1.380.0, identified as CVE-2024-8462. The issue affects the HTTP Request Handler component, specifically in the file backend/windmill-api/src/users.rs. The vulnerability is related to improper restriction of excessive authentication attempts. The issue was disclosed on September 5, 2024, and has been patched in version 1.390.1 (Windmill Release, VulDB).

The vulnerability is classified as CWE-307 (Improper Restriction of Excessive Authentication Attempts). The attack complexity is considered high, with a CVSS v3.1 base score of 3.7 (LOW). The vulnerability can be exploited remotely but requires significant effort. The issue stems from insufficient measures to prevent multiple failed authentication attempts within a short time frame, making the system susceptible to brute force attacks (VulDB).

The vulnerability primarily affects the confidentiality aspect of the system. An attacker could potentially perform brute force attacks against the authentication system by exploiting the lack of rate limiting. This could lead to unauthorized access through token discovery, particularly concerning tokens created by users without expiry dates (VulDB).

The vulnerability has been fixed in Windmill version 1.390.1. The patch (identified as acfe7786152f036f2476f93ab5536571514fa9e3) implements rate limiting and adds delays to unauthorized responses to prevent brute force attacks. It is recommended to upgrade to the patched version 1.390.1 (Windmill Commit).