GO-2024-2615

See a problem?
Please try reporting it to the source first.

Source

https://pkg.go.dev/vuln/GO-2024-2615

Import Source

https://vuln.go.dev/ID/GO-2024-2615.json

JSON Data

https://api.osv.dev/v1/vulns/GO-2024-2615

Aliases

CVE-2024-24766
GHSA-c967-2652-gfjm

Published

2024-03-14T17:12:59Z

Modified

2024-05-20T16:03:47Z

Summary

Username enumeration in github.com/IceWhaleTech/CasaOS-UserService

Details

CasaOS-UserService is vulnerable to a username enumeration issue, when an attacker can enumerate the CasaOS username using the application response. If the username is incorrect, the application gives the error 'User does not exist'. If the password is incorrect, the application gives the error 'Invalid password'.

Database specific

{
    "review_status": "REVIEWED",
    "url": "https://pkg.go.dev/vuln/GO-2024-2615"
}

References

Credits

- DrDark1999

Affected packages

Go / github.com/IceWhaleTech/CasaOS-UserService

Package

Name: github.com/IceWhaleTech/CasaOS-UserService; View open source insights on deps.dev
Purl: pkg:golang/github.com/IceWhaleTech/CasaOS-UserService

Affected ranges

Type: SEMVER
Events: Introduced

0.4.4-3-alpha1

Fixed

0.4.7

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/IceWhaleTech/CasaOS-UserService/route/v1",
            "symbols": [
                "PostUserLogin",
                "PutUserInfo"
            ]
        }
    ]
}