GHSA-7vwg-39h8-8qp8

Suggest an improvement
Source
https://github.com/advisories/GHSA-7vwg-39h8-8qp8
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-7vwg-39h8-8qp8/GHSA-7vwg-39h8-8qp8.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-7vwg-39h8-8qp8
Published
2021-03-11T17:42:01Z
Modified
2024-12-02T05:41:28.326731Z
Summary
/user/sessions endpoint allows detecting valid accounts
Details

This Security Advisory is about a vulnerability in eZ Platform v1.13, v2.5, and v3.2, and in Ibexa DXP and Ibexa Open Source v3.3. The /user/sessions endpoint can let an attacker detect if a given username or email refers to a valid account. This can be detected through differences in the response data or response time of certain requests. The fix ensures neither attack is possible. The fix is distributed via Composer.

If you come across a security issue in our products, here is how you can report it to us: https://doc.ibexa.co/en/latest/guide/reporting_issues/#toc

Database specific 
{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-203"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2021-03-11T17:41:09Z"
}
References

Affected packages

Packagist / ezsystems/ezplatform-rest

Package

Name
ezsystems/ezplatform-rest
Purl
pkg:composer/ezsystems/ezplatform-rest

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.2.0
Fixed
1.2.2.1

Affected versions

v1.*

v1.2.0
v1.2.1
v1.2.2

Database specific 

{
    "last_known_affected_version_range": "<= 1.2.2.0"
}

Packagist / ezsystems/ezplatform-rest

Package

Name
ezsystems/ezplatform-rest
Purl
pkg:composer/ezsystems/ezplatform-rest

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.3.0
Fixed
1.3.1.1

Affected versions

v1.*

v1.3.0
v1.3.1

Database specific 

{
    "last_known_affected_version_range": "<= 1.3.1.0"
}