Lucene search

[email protected]CVE-2024-28232

HistoryApr 01, 2024 - 5:15 p.m.

CVE-2024-28232

2024-04-0117:15:45

CWE-204

[email protected]

web.nvd.nist.gov

casaos-userservice

username enumeration

vulnerability

patched

version 0.4.8

go package manager

6.2 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

7 High

AI Score

Confidence

Low

2.1 Low

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:L/Au:N/C:P/I:N/A:N

0.0004 Low

EPSS

Percentile

8.7%

JSON

Go package IceWhaleTech/CasaOS-UserService provides user management functionalities to CasaOS. The Casa OS Login page has disclosed the username enumeration vulnerability in the login page which was patched in version 0.4.7. This issue in CVE-2024-28232 has been patched in version 0.4.8 but that version has not yet been uploaded to Go’s package manager.

References

github.com/IceWhaleTech/CasaOS-UserService/commit/dd927fe1c805e53790f73cfe10c7a4ded3bc5bdb

github.com/IceWhaleTech/CasaOS-UserService/security/advisories/GHSA-hcw2-2r9c-gc6p

6.2 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

7 High

AI Score

Confidence

Low

2.1 Low

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:L/Au:N/C:P/I:N/A:N

0.0004 Low

EPSS

Percentile

8.7%

JSON

Related for CVE-2024-28232

osv3 veracode1 github1 gitlab1 cvelist1