Lucene search

GitHub Advisory DatabaseGHSA-45GQ-Q4XH-CP53

HistoryJan 30, 2024 - 8:56 p.m.

vantage6 vulnerable to username timing attack

2024-01-3020:56:48

CWE-208

GitHub Advisory Database

github.com

vantage6} {username timing attack} {security} {credential attacks} {login} {response time

CVSS3

3.7

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

6.8

Confidence

High

EPSS

0.001

Percentile

17.0%

JSON

Impact

It is possible to find out usernames from the response time of login requests. This could aid attackers in credential attacks

Workarounds

Affected configurations

Vulners

Node

vantage6vantage6-uiRange<4.2.0

VendorProductVersionCPE
vantage6vantage6-ui*cpe:2.3:a:vantage6:vantage6-ui:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
vantage6	vantage6-ui	*	cpe:2.3:a:vantage6:vantage6-ui::::::::

References

github.com/advisories/GHSA-45gq-q4xh-cp53

github.com/pypa/advisory-database/tree/main/vulns/vantage6/PYSEC-2024-31.yaml

github.com/vantage6/vantage6/commit/389f416c445da4f2438c72f34c3b1084485c4e30

github.com/vantage6/vantage6/security/advisories/GHSA-45gq-q4xh-cp53

nvd.nist.gov/vuln/detail/CVE-2024-21671

CVSS3

3.7

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

6.8

Confidence

High

EPSS

0.001

Percentile

17.0%

JSON

Related for GHSA-45GQ-Q4XH-CP53