GHSA-36gx-9q6h-g429
Suggest an improvement- Source
- https://github.com/advisories/GHSA-36gx-9q6h-g429
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-36gx-9q6h-g429/GHSA-36gx-9q6h-g429.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-36gx-9q6h-g429
- Aliases
- Published
- 2023-02-28T23:18:37Z
- Modified
- 2024-11-29T05:41:33.832803Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L CVSS Calculator
- 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- vantage6 vulnerable to Observable Response Discrepancy
- Details
-
Impact
We are incorporating the password policies listed in https://github.com/vantage6/vantage6/issues/59. One measure is that we don't let the user know in case of wrong username/password combination if the username actually exists, to prevent that bots can guess usernames. However, if a wrong password is entered a number of times, the user account is blocked temporarily. This way you could still find out which usernames exist.
Patches
Update to 3.8.0+
Workarounds
No
References
https://github.com/vantage6/vantage6/issues/59
For more information
If you have any questions or comments about this advisory: * Email us at vantage6@iknl.nl
- Database specific
{ "nvd_published_at": "2023-03-01T17:15:00Z", "github_reviewed": true, "github_reviewed_at": "2023-02-28T23:18:37Z", "severity": "MODERATE", "cwe_ids": [ "CWE-203", "CWE-204" ] }- References
-
- https://github.com/vantage6/vantage6/security/advisories/GHSA-36gx-9q6h-g429
- https://nvd.nist.gov/vuln/detail/CVE-2022-39228
- https://github.com/vantage6/vantage6/issues/59
- https://github.com/vantage6/vantage6/pull/281
- https://github.com/vantage6/vantage6/commit/ab4381c35d24add06f75d5a8a284321f7a340bd2
- https://github.com/pypa/advisory-database/tree/main/vulns/vantage6/PYSEC-2023-52.yaml
- https://github.com/vantage6/vantage6
Affected packages
PyPI / vantage6
Package
- Name
- vantage6
- View open source insights on deps.dev
- Purl
- pkg:pypi/vantage6
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed3.8.0
Affected versions
0.*
0.0.0b0
0.0.0b1
0.0.0b3
0.0.0
1.*
1.0.0a1
1.0.0a2
1.0.0b2
1.0.0b3
1.0.0b4
1.0.0b5
1.0.0b6
1.0.0b7
1.0.0b8
1.0.0b9
1.0.0b10
1.0.0b11
1.0.0b12
1.0.0b13
1.0.0b14
1.0.0
1.1.0rc1
1.1.0rc2
1.1.0
1.2.0
1.2.1
1.2.2
1.2.3
1.2.3.post2
2.*
2.0.0a1
2.0.0a2
2.0.0a3
2.0.0
2.0.0.post1
2.0.1rc1
2.0.1rc2
2.1.0rc1
2.1.0
2.1.1
2.2.0b1
2.2.0b2
2.2.0b3
2.2.0b4
2.2.0
2.2.1
2.2.2
2.2.3
2.2.4
2.2.5
2.2.6
2.2.7
2.2.8
2.2.9
2.2.10
2.2.11
2.2.12
2.3.0rc1
2.3.0rc2
2.3.0rc3
2.3.0rc4
2.3.0rc5
2.3.0
2.3.1
2.3.2rc1
2.3.2
2.3.3
2.3.4
2.3.5b1
2.3.5
3.*
3.0.0b1
3.0.0b2
3.0.0b3
3.0.0b4
3.0.0b5
3.0.0b6
3.0.0b7
3.0.0b8
3.0.0rc1
3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.1.0rc1
3.1.0rc5
3.1.0rc6
3.1.0rc7
3.1.0rc8
3.1.0rc9
3.1.0
3.1.1rc1
3.1.1rc2
3.2.0rc1
3.2.0rc2
3.2.0rc3
3.2.0rc4
3.2.0rc5
3.2.0
3.3.0a0
3.3.0rc1
3.3.0rc2
3.3.0rc3
3.3.0rc4
3.3.0
3.3.1
3.3.2
3.3.3
3.3.4
3.3.5
3.3.6
3.3.7a2
3.3.7a3
3.3.7
3.3.8a1
3.3.8a2
3.3.8a4
3.3.8a5
3.3.8a6
3.3.8a7
3.3.8a8
3.4.0a1
3.4.0a2
3.4.0a3
3.4.0a6
3.4.0
3.4.1a0
3.4.1a1
3.4.1a2
3.4.1a3
3.4.1
3.4.2a0
3.4.2
3.4.3
3.5.0rc1
3.5.0rc2
3.5.0rc3
3.5.0
3.5.1
3.5.2
3.6.0
3.6.1rc1
3.6.1rc2
3.6.1rc3
3.6.1
3.7.0rc1
3.7.0rc2
3.7.0
3.7.1
3.7.2
3.7.3
3.8.0rc3