Lucene search

Veracode Vulnerability DatabaseVERACODE:46150

HistoryApr 02, 2024 - 11:43 a.m.

Username Enumeration

2024-04-0211:43:06

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

vulnerability

username enumeration

icewhaletech

casaos-userservice

improper error handling

authentication disclosure

software

CVSS3

6.2

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

6.9

Confidence

High

EPSS

Percentile

9.0%

JSON

IceWhaleTech/CasaOS-UserService is vulnerable to username enumeration. The vulnerability is due to improper error handling on the login page, which discloses whether a username exists based on the application’s response to authentication attempts.

References

github.com/IceWhaleTech/CasaOS-UserService/commit/dd927fe1c805e53790f73cfe10c7a4ded3bc5bdb

github.com/IceWhaleTech/CasaOS-UserService/security/advisories/GHSA-hcw2-2r9c-gc6p

CVSS3

6.2

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

6.9

Confidence

High

EPSS

Percentile

9.0%

JSON

Related for VERACODE:46150