GHSA-WMWF-49VV-P3MR

Vulnerability from github – Published: 2023-08-03 19:44 – Updated: 2023-08-04 13:31
VLAI?
Summary
Sulu Observable Response Discrepancy on Admin Login
Details

Impact

It allows over the Admin Login form to detect which user (username, email) exists and which one do not exist.

Impacted by this issue are Sulu installation >= 2.5.0 and <2.5.10 using the newer Symfony Security System which is default since Symfony 6.0 but can be enabled in Symfony 5.4. Sulu Installation not using the old Symfony 5.4 security System and previous version are not impacted by this Security issue.

Patches

The problem has been patched in version 2.5.10.

Workarounds

Create a custom AuthenticationFailureHandler which does not return the $exception->getMessage(); instead the $exception->getMessageKey();

References

Currently no references.

Severity ?
4.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "sulu/sulu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.5.0"
            },
            {
              "fixed": "2.5.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-39343"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-204"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-08-03T19:44:28Z",
    "nvd_published_at": "2023-08-04T01:15:10Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nIt allows over the Admin Login form to detect which user (username, email) exists and which one do not exist.\n\nImpacted by this issue are Sulu installation \u003e= 2.5.0 and \u003c2.5.10 using the newer Symfony Security System which is default since Symfony 6.0 but can be enabled in Symfony 5.4. Sulu Installation not using the old Symfony 5.4 security System and previous version are not impacted by this Security issue.\n\n### Patches\n\nThe problem has been patched in version 2.5.10. \n\n### Workarounds\n\nCreate a custom AuthenticationFailureHandler which does not return the `$exception-\u003egetMessage();` instead the `$exception-\u003egetMessageKey();`\n\n### References\n\nCurrently no references.\n",
  "id": "GHSA-wmwf-49vv-p3mr",
  "modified": "2023-08-04T13:31:19Z",
  "published": "2023-08-03T19:44:28Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/sulu/sulu/security/advisories/GHSA-wmwf-49vv-p3mr"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39343"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sulu/sulu/commit/5f6c98ba030b2005793e2dc647cc938937ea889b"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/sulu/sulu/CVE-2023-39343.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/sulu/sulu"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sulu/sulu/releases/tag/2.5.10"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Sulu Observable Response Discrepancy on Admin Login"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.