GHSA-VMF9-6PCV-XR87

Vulnerability from github – Published: 2023-08-29 23:34 – Updated: 2023-08-29 23:34
VLAI?
Summary
Username enumeration attack in goauthentik
Details

Summary

Using a recovery flow with an identification stage an attacker is able to determine if a username exists.

Impact

Only setups configured with a recovery flow are impacted by this. Anyone with a user account on a system with the recovery flow described above is susceptible to having their username/email revealed as existing.

Details

An attacker can easily enumerate and check users' existence using the recovery flow, as a clear message is shown when a user doesn't exist. Depending on configuration this can either be done by username, email, or both.

The invalid and valid usernames should both show the same message and always send an email. Article for reference here: https://postmarkapp.com/guides/password-reset-email-best-practices#how-to-make-sure-your-password-reset-emails-are-secure

For more information

If you have any questions or comments about this advisory:

Severity ?
5.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@goauthentik/api"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2023.6.0"
            },
            {
              "fixed": "2023.6.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@goauthentik/api"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2023.5.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-39522"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-08-29T23:34:51Z",
    "nvd_published_at": "2023-08-29T18:15:08Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\nUsing a recovery flow with an identification stage an attacker is able to determine if a username exists.\n\n## Impact\nOnly setups configured with a recovery flow are impacted by this. Anyone with a user account on a system with the recovery flow described above is susceptible to having their username/email revealed as existing.\n\n## Details\n\nAn attacker can easily enumerate and check users\u0027 existence using the recovery flow, as a clear message is shown when a user doesn\u0027t exist. Depending on configuration this can either be done by username, email, or both.\n\nThe invalid and valid usernames should both show the same message and always send an email. Article for reference here: https://postmarkapp.com/guides/password-reset-email-best-practices#how-to-make-sure-your-password-reset-emails-are-secure\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n-   Email us at [security@goauthentik.io](mailto:security@goauthentik.io)\n",
  "id": "GHSA-vmf9-6pcv-xr87",
  "modified": "2023-08-29T23:34:51Z",
  "published": "2023-08-29T23:34:51Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-vmf9-6pcv-xr87"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39522"
    },
    {
      "type": "WEB",
      "url": "https://github.com/goauthentik/authentik/commit/aa874dd92a770d5f8cd8f265b7cdd31cd73a4599"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/goauthentik/authentik"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Username enumeration attack in goauthentik"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.