[GO-2024-2668] Login username enumeration in github.com/IceWhaleTech/CasaOS-UserService

  1. Home
  2. Security Advisories
  3. Go
  4. GO-2024-2668
Affected Packages 1
Fixed Packages 1
CVEs 1
Info Packages References Vulnerabilities

The Casa OS Login page has a username enumeration vulnerability in the login
page that was patched in Casa OS v0.4.7. The issue exists because the
application response differs depending on whether the username or password is
incorrect, allowing an attacker to enumerate usernames by observing the
application response. For example, if the username is incorrect, the application
returns "User does not exist" with return code "10006", while if the password is
incorrect, it returns "User does not exist or password is invalid" with return
code "10013". This allows an attacker to determine if a username exists without
knowing the password.

Package Affected Version
pkg:golang/github.com/icewhaletech/casaos-userservice/route/v1 >= 0.4.7, < 0.4.8
Package Fixed Version
pkg:golang/github.com/icewhaletech/casaos-userservice/route/v1 = 0.4.8
ID
GO-2024-2668
URL
https://pkg.go.dev/vuln/GO-2024-2668
Published
2024-04-02T17:01:26
(3 months ago)
Modified
2024-05-14T19:19:00
(2 months ago)
Source # ID Name URL
Security Advisory https://github.com/advisories/GHSA-hcw2-2r9c-gc6p
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Fixed pkg:golang/github.com/icewhaletech/casaos-userservice/route/v1 github.com/icewhaletech/casaos-userservice/route v1 = 0.4.8
Affected pkg:golang/github.com/icewhaletech/casaos-userservice/route/v1 github.com/icewhaletech/casaos-userservice/route v1 >= 0.4.7 < 0.4.8
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date