OpenProject Two-Factor Authentication Rate Limiting Vulnerability

A vulnerability exists in OpenProject versions prior to 17.3.0, where the two-factor authentication (2FA) one-time password (OTP) verification process lacks rate limiting, a lockout mechanism, and failed-attempt tracking. This issue allows an attacker who knows a user's password to brute-force the 6-digit TOTP code at a rate of 5-10 attempts per second, effectively bypassing 2FA. The vulnerability also applies to backup code verification.

Impact

Exploitation of this vulnerability allows for complete bypass of two-factor authentication on accounts where the password is known, undermining the security that 2FA is meant to provide.

Reproduction

The vulnerability can be reproduced by enabling TOTP 2FA for a user, then logging in with the correct password and submitting rapid failed OTP attempts. After several failures, the user account will not be locked, and the failed login count will not be incremented. Following the failed attempts, submitting the correct OTP will succeed immediately, demonstrating the lack of rate limiting and lockout.

Remediation

Users can update to OpenProject version 17.3.0 or later, where this vulnerability has been fixed.