CVE-2024-24766 CasaOS Username Enumeration

2024-03-0618:10:25

CWE-204

GitHub_M

www.cve.org

casaos

userservice

user management

username enumeration

vulnerability

application response

invalid password

version 0.4.7 fix

CVSS3

6.2

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

Percentile

15.5%

JSON

CasaOS-UserService provides user management functionalities to CasaOS. Starting in version 0.4.4.3 and prior to version 0.4.7, the Casa OS Login page disclosed the username enumeration vulnerability in the login page. An attacker can enumerate the CasaOS username using the application response. If the username is incorrect application gives the error **User does not exist**. If the password is incorrect application gives the error **Invalid password**. Version 0.4.7 fixes this issue.

CNA Affected

[
  {
    "vendor": "IceWhaleTech",
    "product": "CasaOS-UserService",
    "versions": [
      {
        "version": ">= 0.4.4.3, < 0.4.7",
        "status": "affected"
      }
    ]
  }
]