Lucene search

GoogleOSV:GHSA-89P3-9J8C-FQH4

HistoryMar 12, 2023 - 6:30 a.m.

User account enumeration in eZ Publish Ibexa Kernel

2023-03-1206:30:21

Google

osv.dev

ez publish

ibexa kernel

user account enumeration

security advisory

vulnerability

ez platform v1.13

ez platform v2.5

ez platform v3.2

ibexa dxp

ibexa open source v3.3

/user/sessions endpoint

attack detection

response data

response time

fix distribution

composer.

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

33.1%

JSON

This Security Advisory is about a vulnerability in eZ Platform v1.13, v2.5, and v3.2, and in Ibexa DXP and Ibexa Open Source v3.3. The /user/sessions endpoint can let an attacker detect if a given username or email refers to a valid account. This can be detected through differences in the response data or response time of certain requests. The fix ensures neither attack is possible. The fix is distributed via Composer.

References

github.com/ezsystems/ezpublish-kernel/commit/b496f073c3f03707d3531a6941dc098b84e3cbed

github.com/ezsystems/ezpublish-kernel/security/advisories/GHSA-gmrf-99gw-vvwj

nvd.nist.gov/vuln/detail/CVE-2021-46876

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

33.1%

JSON

Related for OSV:GHSA-89P3-9J8C-FQH4