GHSA-579x-cjvr-cqj9
Suggest an improvement- Source
- https://github.com/advisories/GHSA-579x-cjvr-cqj9
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-579x-cjvr-cqj9/GHSA-579x-cjvr-cqj9.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-579x-cjvr-cqj9
- Aliases
- Published
- 2021-09-20T19:53:55Z
- Modified
- 2024-02-17T05:23:44.606420Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
- Summary
- Observable Response Discrepancy in Lost Password Service
- Details
-
Impact
It is possible to enumerate usernames via the forgot password functionality
Patches
Update to version
10.1.3or apply this patch manually: https://github.com/pimcore/pimcore/pull/10223.patchWorkarounds
Apply https://github.com/pimcore/pimcore/pull/10223.patch manually.
- Database specific
{ "nvd_published_at": "2021-09-15T14:15:00Z", "cwe_ids": [ "CWE-203", "CWE-204" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2021-09-17T18:38:47Z" }- References
-
- https://github.com/pimcore/pimcore/security/advisories/GHSA-579x-cjvr-cqj9
- https://nvd.nist.gov/vuln/detail/CVE-2021-39189
- https://github.com/pimcore/pimcore/pull/10223.patch
- https://github.com/pimcore/pimcore/pull/10223/commits/d0a4de39cf05dce6af71f8ca039132bdfcbb0dce
- https://github.com/pimcore/pimcore
- https://huntr.dev/bounties/12462a99-ebf8-4e39-80b3-54a16caa3f4c
Affected packages
Packagist / pimcore/pimcore
Package
- Name
- pimcore/pimcore
- Purl
- pkg:composer/pimcore/pimcore
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed10.1.3
Affected versions
2.*
2.2.0
2.2.1
2.2.2
2.3.0
3.*
3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.0.5
3.0.6
3.1.0
3.1.1
4.*
4.0.0
4.0.1
4.1.0
4.1.1
4.1.2
4.1.3
4.2.0
4.3.0
4.3.1
4.4.0
4.4.1
4.4.2
4.4.3
4.5.0
4.6.0
4.6.1
4.6.2
4.6.3
4.6.4
4.6.5
v5.*
v5.0.0-RC
v5.0.0
v5.0.1
v5.0.2
v5.0.3
v5.0.4
v5.1.0-alpha
v5.1.0
v5.1.1
v5.1.2
v5.1.3
v5.2.0
v5.2.1
v5.2.2
v5.2.3
v5.3.0
v5.3.1
v5.4.0
v5.4.1
v5.4.2
v5.4.3
v5.4.4
v5.5.0
v5.5.1
v5.5.2
v5.5.3
v5.5.4
v5.6.0
v5.6.1
v5.6.2
v5.6.3
v5.6.4
v5.6.5
v5.6.6
v5.7.0
v5.7.1
v5.7.2
v5.7.3
v5.8.0
v5.8.1
v5.8.2
v5.8.3
v5.8.4
v5.8.5
v5.8.6
v5.8.7
v5.8.8
v5.8.9
v6.*
v6.0.0
v6.0.1
v6.0.2
v6.0.3
v6.0.4
v6.0.5
v6.1.0
v6.1.1
v6.1.2
v6.2.0
v6.2.1
v6.2.2
v6.2.3
v6.3.0
v6.3.1
v6.3.2
v6.3.3
v6.3.4
v6.3.5
v6.3.6
v6.4.0
v6.4.1
v6.4.2
v6.5.0
v6.5.1
v6.5.2
v6.5.3
v6.6.0
v6.6.1
v6.6.2
v6.6.3
v6.6.4
v6.6.5
v6.6.6
v6.6.7
v6.6.8
v6.6.9
v6.6.10
v6.6.11
v6.7.0
v6.7.1
v6.7.2
v6.7.3
v6.8.0
v6.8.1
v6.8.2
v6.8.3
v6.8.4
v6.8.5
v6.8.6
v6.8.7
v6.8.8
v6.8.9
v6.8.10
v6.8.11
v6.8.12
v6.9.0
v6.9.1
v6.9.2
v6.9.3
v6.9.4
v6.9.5
v6.9.6
v10.*
v10.0.0-BETA1
v10.0.0-BETA2
v10.0.0-BETA3
v10.0.0-BETA4
v10.0.0
v10.0.1
v10.0.2
v10.0.3
v10.0.4
v10.0.5
v10.0.6
v10.0.7
v10.0.9
v10.1.0
v10.1.1
v10.1.2
10.*
10.0.8