silverstripe/framework member disclosure in login form

2024-05-2719:16:12

Google

osv.dev

silverstripe

framework

user id

vulnerability

brute force

error messages

member table

logging

lockout process

existant users.

7.1 High

AI Score

Confidence

High

JSON

There is a user ID enumeration vulnerability in our brute force error messages.

Users that don’t exist in will never get a locked out message
Users that do exist, will get a locked out message

This means an attacker can infer or confirm user details that exist in the member table.

This issue has been resolved by ensuring that login attempt logging and lockout process works equivalently for non-existent users as it does for existant users.

CPENameOperatorVersion
silverstripe/frameworkeq3.4.1-rc2
silverstripe/frameworkeq3.5.0-rc1
silverstripe/frameworkeq3.5.3-rc1
silverstripe/frameworkeq3.4.0-rc1
silverstripe/frameworkeq3.5.4-rc1
silverstripe/frameworkeq3.5.2-rc1
silverstripe/frameworkeq3.4.2
silverstripe/frameworkeq3.5.1-rc2
silverstripe/frameworkeq3.5.0
silverstripe/frameworkeq3.5.1-rc1

Name	Operator	Version
silverstripe/framework	eq	3.4.1-rc2
silverstripe/framework	eq	3.5.0-rc1
silverstripe/framework	eq	3.5.3-rc1
silverstripe/framework	eq	3.4.0-rc1
silverstripe/framework	eq	3.5.4-rc1
silverstripe/framework	eq	3.5.2-rc1
silverstripe/framework	eq	3.4.2
silverstripe/framework	eq	3.5.1-rc2
silverstripe/framework	eq	3.5.0
silverstripe/framework	eq	3.5.1-rc1

Rows per page:

1-10 of 261

References

github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/SS-2017-002-1.yaml

github.com/silverstripe/silverstripe-framework

github.com/silverstripe/silverstripe-framework/commit/f71efb5063c57d823dd130b9bfd018f6ef903d49

www.silverstripe.org/download/security-releases/ss-2017-002

7.1 High

AI Score

Confidence

High

JSON