[GO-2024-2668] Login username enumeration in github.com/IceWhaleTech/CasaOS-UserService

Severity Medium
Affected Packages 1
Fixed Packages 1
CVEs 1

The Casa OS Login page has a username enumeration vulnerability in the login
page that was patched in Casa OS v0.4.7. The issue exists because the
application response differs depending on whether the username or password is
incorrect, allowing an attacker to enumerate usernames by observing the
application response. For example, if the username is incorrect, the application
returns "User does not exist" with return code "10006", while if the password is
incorrect, it returns "User does not exist or password is invalid" with return
code "10013". This allows an attacker to determine if a username exists without
knowing the password.

Package Affected Version
pkg:golang/github.com/icewhaletech/casaos-userservice/route/v1 >= 0.4.7, < 0.4.8
ID
GO-2024-2668
Severity
medium
URL
https://pkg.go.dev/vuln/GO-2024-2668
Published
2024-04-02T17:01:26
(3 weeks ago)
Modified
2024-04-04T20:46:28
(2 weeks ago)
Source # ID Name URL
Security Advisory https://github.com/advisories/GHSA-hcw2-2r9c-gc6p
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Fixed pkg:golang/github.com/icewhaletech/casaos-userservice/route/v1 github.com/icewhaletech/casaos-userservice/route v1 = 0.4.8
Affected pkg:golang/github.com/icewhaletech/casaos-userservice/route/v1 github.com/icewhaletech/casaos-userservice/route v1 >= 0.4.7 < 0.4.8
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date
Loading...