CVE-2023-46745

Name of the Vulnerable Software and Affected Versions LibreNMS versions prior to 23.11.0

Description The issue concerns the login method in LibreNMS, which lacks a rate limit, allowing an attacker to potentially gain access to user accounts through brute force attacks. The login method uses a GET request for authentication, which is not recommended as it may store user credentials in web server logs. There are no known workarounds for this issue.

Recommendations For versions prior to 23.11.0, upgrade to version 23.11.0 to address the issue. As a temporary workaround, consider restricting access to the login endpoint or implementing rate limiting on the / endpoint to minimize the risk of exploitation. Avoid using the password parameter in the affected API endpoint until the issue is resolved.