CVE-2021-3663
📋 TL;DR
CVE-2021-3663 is an authentication rate limiting vulnerability in Firefly III personal finance software that allows attackers to perform unlimited login attempts without lockout mechanisms. This enables brute-force attacks against user credentials. All Firefly III instances with vulnerable versions are affected.
💻 Affected Systems
- Firefly III
📦 What is this software?
Firefly Iii by Firefly Iii
⚠️ Risk & Real-World Impact
Worst Case
Attackers could brute-force administrator credentials, gain full control of the financial management system, and potentially access sensitive financial data or modify transactions.
Likely Case
Attackers could compromise user accounts through credential stuffing or brute-force attacks, leading to unauthorized access to personal financial information.
If Mitigated
With proper rate limiting and account lockout policies, impact is limited to temporary service disruption from failed login attempts.
🎯 Exploit Status
Exploitation requires no authentication and can be performed with simple HTTP requests. Public exploit scripts are available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions including commit afc9f4b7ebc8a240c85864a6e1abda62bfeefae8
Vendor Advisory: https://github.com/firefly-iii/firefly-iii/commit/afc9f4b7ebc8a240c85864a6e1abda62bfeefae8
Restart Required: No
Instructions:
1. Update Firefly III to latest version. 2. For self-hosted instances: git pull latest changes and redeploy. 3. For Docker deployments: pull updated image and restart container.
🔧 Temporary Workarounds
Implement Web Application Firewall (WAF) Rate Limiting
linuxConfigure WAF or reverse proxy to limit login attempts per IP address
nginx: limit_req_zone $binary_remote_addr zone=login:10m rate=5r/m;
apache: SetEnvIf Request_URI "^/login" ratelimit
Network-Level Rate Limiting
linuxUse firewall rules to limit connection attempts to login endpoint
iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m recent --set --name HTTP
iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 60 --hitcount 20 --name HTTP -j DROP
🧯 If You Can't Patch
- Implement strong password policies and multi-factor authentication
- Monitor authentication logs for brute-force patterns and block suspicious IPs
🔍 How to Verify
Check if Vulnerable:
Check if login endpoint (/login) allows unlimited rapid login attempts without lockoutCheck Version:
php artisan --version (for self-hosted) or check Docker image tagVerify Fix Applied:
Test login endpoint with rapid failed attempts - should trigger rate limiting or lockout after threshold📡 Detection & Monitoring
Log Indicators:
- Multiple failed login attempts from same IP in short timeframe
- Unusual login patterns outside normal hours
Network Indicators:
- High volume of POST requests to /login endpoint
- Traffic patterns showing credential stuffing tools
SIEM Query:
source="firefly-iii.log" | search "failed login" | stats count by src_ip | where count > 10🔗 References
- https://github.com/firefly-iii/firefly-iii/commit/afc9f4b7ebc8a240c85864a6e1abda62bfeefae8
- https://huntr.dev/bounties/497bdf6d-7dba-49c3-8011-1c64dfbb3380
- https://github.com/firefly-iii/firefly-iii/commit/afc9f4b7ebc8a240c85864a6e1abda62bfeefae8
- https://huntr.dev/bounties/497bdf6d-7dba-49c3-8011-1c64dfbb3380
