CVE-2022-39314

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2022-39314
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-39314.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-39314
Aliases
Published
2022-10-24T00:00:00Z
Modified
2025-11-19T11:11:05.464724Z
Severity
  • 4.8 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
Summary
User enumeration in the code-based login and password reset forms
Details

Kirby is a flat-file CMS. In versions prior to 3.5.8.2, 3.6.6.2, 3.7.5.1, and 3.8.1, Kirby is subject to user enumeration due to Improper Restriction of Excessive Authentication Attempts. This vulnerability affects you only if you are using the code or password-reset auth method with the auth.methods option or if you have enabled the debug option in production. By using two or more IP addresses and multiple login attempts, valid user accounts will lock, but invalid accounts will not, leading to account enumeration. This issue has been patched in versions 3.5.8.2, 3.6.6.2, 3.7.5.1, and 3.8.1. If you cannot update immediately, you can work around the issue by setting the auth.methods option to password, which disables the code-based login and password reset forms.

Database specific 
{
    "cwe_ids": [
        "CWE-307"
    ]
}
References

Affected packages

Git / github.com/getkirby/kirby

Affected ranges

Type
GIT
Repo
https://github.com/getkirby/kirby
Events
Introduced
0d2751af7cb478df14f30fac47fe9a2cd3b38114
Fixed
94a9abdfc20f1e98adb9e8696910fcd1f1d6dd99
Database specific 
{
    "versions": [
        {
            "introduced": "3.5.0"
        },
        {
            "fixed": "3.5.8.2"
        }
    ]
}
Type
GIT
Repo
https://github.com/getkirby/kirby
Events
Introduced
d210f26602cf72c926d8ccf8befd61d7831888da
Fixed
9a3ecf893488df745f5516d5e490a655a4e85c21
Database specific 
{
    "versions": [
        {
            "introduced": "3.7.0"
        },
        {
            "fixed": "3.7.5.1"
        }
    ]
}
Type
GIT
Repo
https://github.com/getkirby/kirby
Events
Introduced
021ad65cc249f77415443bd357a2234494ed0dfe
Fixed
021ad65cc249f77415443bd357a2234494ed0dfe
Database specific 
{
    "versions": [
        {
            "introduced": "3.8.1"
        },
        {
            "fixed": "3.8.1"
        }
    ]
}

Affected versions

3.*

3.8.1