GHSA-g84q-cq55-xwgp

Source

https://github.com/advisories/GHSA-g84q-cq55-xwgp

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-g84q-cq55-xwgp/GHSA-g84q-cq55-xwgp.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-g84q-cq55-xwgp

Published

2024-05-27T19:16:12Z

Modified

2024-12-02T05:56:49.758607Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

silverstripe/framework member disclosure in login form

Details

There is a user ID enumeration vulnerability in our brute force error messages.

Users that don't exist in will never get a locked out message
Users that do exist, will get a locked out message

This means an attacker can infer or confirm user details that exist in the member table.

This issue has been resolved by ensuring that login attempt logging and lockout process works equivalently for non-existent users as it does for existant users.

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-200"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-27T19:16:12Z"
}

References

Affected packages

Packagist / silverstripe/framework

Package

Name: silverstripe/framework
Purl: pkg:composer/silverstripe/framework

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.4.0-rc1

Fixed

3.4.6

Affected versions

3.*

3.4.0-rc1

3.4.0

3.4.1-rc1

3.4.1-rc2

3.4.1

3.4.2

3.4.3-rc1

3.4.3

3.4.4-rc1

3.4.4

3.4.5-rc1

3.4.5

3.4.6-rc1

3.4.6-rc2

Packagist / silverstripe/framework

Package

Name: silverstripe/framework
Purl: pkg:composer/silverstripe/framework

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.5.0-rc1

Fixed

3.5.4

Affected versions

3.*

3.5.0-rc1

3.5.0-rc2

3.5.0-rc3

3.5.0

3.5.1-rc1

3.5.1-rc2

3.5.1

3.5.2-rc1

3.5.2

3.5.3-rc1

3.5.3

3.5.4-rc1