silverstripe/framework vulnerable to member disclosure in login form

2024-05-2723:23:51

CWE-200

GitHub Advisory Database

github.com

silverstripe/framework

user id enumeration

vulnerability

security disclosure

regression

ss-2017-002

7.1 High

AI Score

Confidence

High

JSON

There is a user ID enumeration vulnerability in our brute force error messages.

Users that don’t exist in will never get a locked out message
Users that do exist, will get a locked out message

This means an attacker can infer or confirm user details that exist in the member table.

This issue has been resolved by ensuring that login attempt logging and lockout process works equivalently for non-existent users as it does for existant users.

This is a regression of SS-2017-002.

Affected configurations

Vulners

Node

silverstripeframeworkRange<4.1.1

silverstripeframeworkRange<4.0.4

CPENameOperatorVersion
silverstripe/frameworklt4.1.1
silverstripe/frameworklt4.0.4

CPE	Name	Operator	Version
	silverstripe/framework	lt	4.1.1
	silverstripe/framework	lt	4.0.4

References

github.com/advisories/GHSA-crr3-h4m8-7f56

github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/SS-2018-010-1.yaml

github.com/silverstripe/silverstripe-framework/commit/5887201dd578a5b9779c33a182153d2ce973ab41

www.silverstripe.org/download/security-releases/ss-2018-010

7.1 High

AI Score

Confidence

High

JSON