GO-2024-2668

Source
https://pkg.go.dev/vuln/GO-2024-2668
Import Source
https://vuln.go.dev/ID/GO-2024-2668.json
Aliases
Published
2024-04-02T19:34:11Z
Modified
2024-04-03T16:35:05Z
Details

The Casa OS Login page has a username enumeration vulnerability in the login page that was patched in Casa OS v0.4.7. The issue exists because the application response differs depending on whether the username or password is incorrect, allowing an attacker to enumerate usernames by observing the application response. For example, if the username is incorrect, the application returns "User does not exist" with return code "10006", while if the password is incorrect, it returns "User does not exist or password is invalid" with return code "10013". This allows an attacker to determine if a username exists without knowing the password.

References

Affected packages

Go / github.com/IceWhaleTech/CasaOS-UserService

Affected ranges

Type
SEMVER
Events
Introduced
0The exact introduced commit is unknown
Fixed
0.4.8

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/IceWhaleTech/CasaOS-UserService/route/v1",
            "symbols": [
                "PostUserLogin"
            ]
        }
    ]
}