CVE-2024-55008: JATOS 3.9.4 contains a denial-of-service (DoS) vulnerability in the authentication system, where an attacke...
JATOS 3.9.4 contains a denial-of-service (DoS) vulnerability in the authentication system, where an attacker can prevent legitimate users from accessing their accounts by repeatedly sending multiple failed login attempts. Specifically, by submitting 3 incorrect login attempts every minute, the attacker can trigger the account lockout mechanism on the account level, effectively locking the user out indefinitely. Since the lockout is applied to the user account and not based on the IP address, any attacker can trigger the lockout on any user account, regardless of their privileges.
Security readout for executives and security teams
Plain-English summary
CVE-2024-55008 lets an unauthenticated attacker repeatedly fail logins against a chosen JATOS account until the account remains locked. The impact is availability: legitimate users can be denied access to their own accounts without the attacker needing credentials.
Executive priority
Treat as high priority for exposed JATOS environments because it can block legitimate access without credentials. It is primarily an availability risk, not a data theft issue based on current sources.
Technical view
JATOS 3.9.4 is described as vulnerable to account-level lockout denial of service. Three incorrect login attempts per minute can trigger lockout repeatedly. Because lockout is tied to the user account rather than the source IP, attackers can target specific accounts remotely.
Likely exposure
Exposure is most relevant where JATOS 3.9.4 login pages are reachable by untrusted networks or the internet. The CVE metadata does not provide CPEs or a broader affected-version range.
Exploitation context
The source bundle does not show KEV listing or confirmed active exploitation. The described attack is low complexity and unauthenticated, but evidence is limited to the CVE description and a public write-up.
Researcher notes
CVE metadata names CWE-307 and CVSS 7.5 with availability high. The affected field is n/a, while the description names JATOS 3.9.4. One reference URL slug mentions CVE-2024-51379, so verify identifiers during triage.
Mitigation direction
Check JATOS/vendor guidance for a fixed version or official mitigation.
Restrict access to JATOS login pages where operationally feasible.
Monitor for repeated failed logins against the same account.
Review account lockout policy and compensating controls.
Prioritize upgrade planning if JATOS 3.9.4 is present.
Validation and detection
Inventory JATOS deployments and confirm whether version 3.9.4 is running.
Identify whether JATOS authentication endpoints are internet-exposed.
Review authentication logs for repeated failed attempts per account.
Check for user complaints or alerts showing recurring account lockouts.
Track vendor advisories for confirmed affected versions and remediation.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-307: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-307 · source CWE mapping
Improper Restriction of Excessive Authentication Attempts
Improper Restriction of Excessive Authentication Attempts represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.