CVE-2022-39314

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-39314

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-39314.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2022-39314

Aliases

GHSA-43qq-qw4x-28f8

Related

GHSA-43qq-qw4x-28f8

Published

2022-10-24T14:15:51Z

Modified

2024-11-21T07:18:00Z

Severity

3.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

[none]

Details

Kirby is a flat-file CMS. In versions prior to 3.5.8.2, 3.6.6.2, 3.7.5.1, and 3.8.1, Kirby is subject to user enumeration due to Improper Restriction of Excessive Authentication Attempts. This vulnerability affects you only if you are using the code or password-reset auth method with the auth.methods option or if you have enabled the debug option in production. By using two or more IP addresses and multiple login attempts, valid user accounts will lock, but invalid accounts will not, leading to account enumeration. This issue has been patched in versions 3.5.8.2, 3.6.6.2, 3.7.5.1, and 3.8.1. If you cannot update immediately, you can work around the issue by setting the auth.methods option to password, which disables the code-based login and password reset forms.

References

https://github.com/getkirby/kirby/security/advisories/GHSA-43qq-qw4x-28f8

Affected packages

Git / github.com/getkirby/kirby

Affected ranges

Type: GIT
Repo: https://github.com/getkirby/kirby
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

94a9abdfc20f1e98adb9e8696910fcd1f1d6dd99