[GO-2024-2668] Login username enumeration in github.com/IceWhaleTech/CasaOS-UserService
Severity
Medium
Affected Packages
1
Fixed Packages
1
CVEs
1
The Casa OS Login page has a username enumeration vulnerability in the login
page that was patched in Casa OS v0.4.7. The issue exists because the
application response differs depending on whether the username or password is
incorrect, allowing an attacker to enumerate usernames by observing the
application response. For example, if the username is incorrect, the application
returns "User does not exist" with return code "10006", while if the password is
incorrect, it returns "User does not exist or password is invalid" with return
code "10013". This allows an attacker to determine if a username exists without
knowing the password.
Affected
Package | Affected Version |
---|---|
pkg:golang/github.com/icewhaletech/casaos-userservice/route/v1 | >= 0.4.7, < 0.4.8 |
Fixed
Package | Fixed Version |
---|---|
pkg:golang/github.com/icewhaletech/casaos-userservice/route/v1 | = 0.4.8 |
- ID
- GO-2024-2668
- Severity
- medium
- Severity from
- CVE-2024-28232
- URL
- https://pkg.go.dev/vuln/GO-2024-2668
- Published
-
2024-04-02T17:01:26
(9 months ago) - Modified
-
2024-05-14T19:19:00
(8 months ago)
Source | # ID | Name | URL |
---|---|---|---|
Security Advisory | https://github.com/advisories/GHSA-hcw2-2r9c-gc6p |
Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
---|---|---|---|---|---|---|---|
Fixed | pkg:golang/github.com/icewhaletech/casaos-userservice/route/v1 | github.com/icewhaletech/casaos-userservice/route | v1 | = 0.4.8 | |||
Affected | pkg:golang/github.com/icewhaletech/casaos-userservice/route/v1 | github.com/icewhaletech/casaos-userservice/route | v1 | >= 0.4.7 < 0.4.8 |
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
---|---|---|---|---|---|---|---|---|---|---|---|
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |