JATOS Authentication System Denial-of-Service Vulnerability Allowing Account Lockout

Vulnerability

A denial-of-service vulnerability has been identified in JATOS version 3.9.4, affecting the authentication system. This vulnerability allows an attacker to lock legitimate users out of their accounts by sending repeated failed login attempts. Specifically, submitting three incorrect login attempts per minute can trigger the account lockout mechanism, locking the user out indefinitely. The lockout is applied at the account level, not based on IP address, enabling any attacker to lock out any user account, regardless of privileges.

Impact

Exploitation of this vulnerability leads to indefinite account lockout for affected users.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

7.6

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

7.6

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

JATOS Authentication System Denial-of-Service Vulnerability Allowing Account Lockout

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating