CVE-2024-55008 – JATOS 3.9.4 contains an authentication DoS vuln... (How to Fix)

Q: What is the severity of CVE-2024-55008?

CVE-2024-55008 has a CVSS score of 7.5 (HIGH). JATOS 3.9.4 contains an authentication DoS vulnerability where attackers can lock any user account indefinitely by submitting 3 failed login attempts per minute. This affects all JATOS users regardless of privileges since lockouts are account-based rather than IP-based. The vulnerability allows denial of service against legitimate users.

📋 TL;DR

JATOS 3.9.4 contains an authentication DoS vulnerability where attackers can lock any user account indefinitely by submitting 3 failed login attempts per minute. This affects all JATOS users regardless of privileges since lockouts are account-based rather than IP-based. The vulnerability allows denial of service against legitimate users.

💻 Affected Systems

Products:

JATOS

Versions: 3.9.4

Operating Systems: All platforms running JATOS

Default Config Vulnerable: ⚠️ Yes

Notes: All JATOS 3.9.4 installations with authentication enabled are vulnerable. The vulnerability is in the account lockout mechanism implementation.

📦 What is this software?

Jatos by Jatos

View all CVEs affecting Jatos →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Critical users (administrators, researchers) are locked out during time-sensitive operations, disrupting research studies and system administration.

🟠

Likely Case

Regular users experience account lockouts preventing access to their studies and data, requiring manual intervention to unlock accounts.

🟢

If Mitigated

With proper monitoring and rate limiting, impact is limited to temporary inconvenience with quick detection and response.

🌐 Internet-Facing: HIGH - Any internet-accessible JATOS instance is vulnerable to remote DoS attacks against user accounts.

🏢 Internal Only: MEDIUM - Internal attackers could still disrupt operations but with more limited scope than external threats.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires no special tools - just repeated HTTP POST requests to login endpoint. Attackers need valid usernames but no authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 3.9.5 or later

Vendor Advisory: http://jatos.com

Restart Required: Yes

Instructions:

1. Backup current JATOS installation and data. 2. Download JATOS 3.9.5 or later from official website. 3. Stop JATOS service. 4. Replace installation with new version. 5. Restart JATOS service. 6. Verify functionality.

🔧 Temporary Workarounds

Implement IP-based rate limiting

all

Configure web server or firewall to limit login attempts per IP address

# Example nginx rate limiting: limit_req_zone $binary_remote_addr zone=login:10m rate=10r/m;
# Then apply to login location: limit_req zone=login burst=5 nodelay;

Disable account lockout feature

all

Temporarily disable account lockout mechanism if business impact is acceptable

# Modify JATOS configuration to set account lockout threshold to 0 or very high number
# Check JATOS documentation for specific configuration parameters

🧯 If You Can't Patch

Implement network-level rate limiting using WAF or firewall rules to restrict login attempts per source IP
Enable detailed authentication logging and implement alerting for suspicious login patterns

🔍 How to Verify

Check if Vulnerable:

Test by attempting 3 failed logins for any account within 1 minute, then verify legitimate login is blocked

Check Version:

Check JATOS version in web interface or run: java -jar jatos.jar --version

Verify Fix Applied:

After patching, repeat the test - account should not lock after 3 failed attempts within 1 minute

📡 Detection & Monitoring

Log Indicators:

Multiple failed login attempts for same username within short timeframe
Account lockout events in authentication logs
Unusual pattern of 3 failed attempts exactly every minute

Network Indicators:

Repeated POST requests to /jatos/login endpoint from same source
HTTP 401 responses followed by account lockout messages

SIEM Query:

source="jatos.log" AND ("authentication failure" OR "failed login") | stats count by src_ip, username | where count >= 3

📊 Metadata

CVE ID: CVE-2024-55008

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-307

EPSS Score: 0.2% exploit probability (42.1th percentile)

Published: January 7, 2025

Last Updated: June 24, 2025

🔗 References

http://jatos.com Product
https://hacking-notes.medium.com/cve-2024-51379-jatos-v3-9-4-account-lockout-denial-of-service-cc970f4ca58f Exploit,Third Party Advisory
https://hacking-notes.medium.com/cve-2024-51379-jatos-v3-9-4-account-lockout-denial-of-service-cc970f4ca58f Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-55008, you might also want to check these: