cbcvebase.
CVE-2022-2651
published 2022-08-04

CVE-2022-2651: Authentication Bypass by Primary Weakness in GitHub repository bookwyrm-social/bookwyrm prior to 0.4.5.

PriorityP267critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
11.38%
95.5th percentile
Authentication Bypass by Primary Weakness in GitHub repository bookwyrm-social/bookwyrm prior to 0.4.5.

Affected

2 ranges
VendorProductVersion rangeFixed in
bookwyrm-socialbookwyrm-social_bookwyrm>= unspecified < 0.4.50.4.5
joinbookwyrmbookwyrm< 0.4.50.4.5

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://site/confirm-email
  • Monitor for high-frequency repeated POST requests to the /confirm-email endpoint from a single source, indicating OTP brute-force attempts against email verification.
  • Alert on account creation events where the registering email matches an existing or victim-controlled address, followed immediately by rapid OTP submission attempts to /confirm-email.
  • Absence of rate-limit enforcement on the /confirm-email endpoint is the exploitable condition; detect by observing no HTTP 429 responses across many sequential OTP submissions from the same IP.
  • ·Vulnerability affects Bookwyrm versions up to and including 0.4.3; instances must be upgraded to 0.4.5 or later to remediate.
  • ·The exploit relies entirely on the absence of rate-limiting on the OTP confirmation endpoint; any deployment without rate-limit middleware on /confirm-email is vulnerable regardless of other controls.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.