Lucene search

Veracode Vulnerability DatabaseVERACODE:43305

HistorySep 18, 2023 - 3:25 p.m.

Observable Discrepancy (Information Exposure)

2023-09-1815:25:31

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

observable discrepancy

information exposure

baseuser.login

constant time

internal state

malicious user

password spray

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

0.0005 Low

EPSS

Percentile

17.0%

JSON

piccolo is vulnerable to Observable Discrepancy (Information Exposure). The vulnerability is caused by a defect in the BaseUser.login function which fails to return responses in a constant time but based on internal state of the application. (e.g: a response is generated immediately when user is not found as against a time expensive hash comparison when a user is found). This discrepancy allows a malicious user to time requests made in order to generate a list of valid usernames for usage in further attacks like password spray.

CPENameOperatorVersion
piccolole0.120.0
piccolole0.120.0

CPE	Name	Operator	Version
	piccolo	le	0.120.0
	piccolo	le	0.120.0

References

github.com/piccolo-orm/piccolo/blob/master/piccolo/apps/user/tables.py#L191-L237

github.com/piccolo-orm/piccolo/commit/edcfe3568382922ba3e3b65896e6e7272f972261

github.com/piccolo-orm/piccolo/security/advisories/GHSA-h7cm-mrvq-wcfr

skelmis.co.nz/posts/tbue/

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

0.0005 Low

EPSS

Percentile

17.0%

JSON

Related for VERACODE:43305