CVE-2024-24766

2024-03-0619:15:07

CWE-204

GitHub_M

web.nvd.nist.gov

casaos

userservice

user management

username enumeration

vulnerability

security

cve-2024-24766

nvd

CVSS3

6.2

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

6.2

Confidence

High

EPSS

Percentile

15.5%

JSON

CasaOS-UserService provides user management functionalities to CasaOS. Starting in version 0.4.4.3 and prior to version 0.4.7, the Casa OS Login page disclosed the username enumeration vulnerability in the login page. An attacker can enumerate the CasaOS username using the application response. If the username is incorrect application gives the error **User does not exist**. If the password is incorrect application gives the error **Invalid password**. Version 0.4.7 fixes this issue.

Affected configurations

Vulners

Vulnrichment

Node

icewhaletechcasaos_userserviceRange0.4.4.3–0.4.7

VendorProductVersionCPE
icewhaletechcasaos_userservice*cpe:2.3:a:icewhaletech:casaos_userservice:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
icewhaletech	casaos_userservice	*	cpe:2.3:a:icewhaletech:casaos_userservice::::::::

CNA Affected

[
  {
    "vendor": "IceWhaleTech",
    "product": "CasaOS-UserService",
    "versions": [
      {
        "version": ">= 0.4.4.3, < 0.4.7",
        "status": "affected"
      }
    ]
  }
]