GO-2024-2668

See a problem?

Source

https://pkg.go.dev/vuln/GO-2024-2668

Import Source

https://vuln.go.dev/ID/GO-2024-2668.json

JSON Data

https://api.osv.dev/v1/vulns/GO-2024-2668

Aliases

Published

2024-04-02T19:34:11Z

Modified

2024-05-20T16:03:47Z

Summary

Details

The Casa OS Login page has a username enumeration vulnerability in the login page that was patched in Casa OS v0.4.7. The issue exists because the application response differs depending on whether the username or password is incorrect, allowing an attacker to enumerate usernames by observing the application response. For example, if the username is incorrect, the application returns "User does not exist" with return code "10006", while if the password is incorrect, it returns "User does not exist or password is invalid" with return code "10013". This allows an attacker to determine if a username exists without knowing the password.

References

https://github.com/IceWhaleTech/CasaOS-UserService/commit/dd927fe1c805e53790f73cfe10c7a4ded3bc5bdb

Credits

- DrDark1999

Affected packages

Go / github.com/IceWhaleTech/CasaOS-UserService

Package

Name: github.com/IceWhaleTech/CasaOS-UserService; View open source insights on deps.dev
Purl: pkg:golang/github.com/IceWhaleTech/CasaOS-UserService

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.4.8

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/IceWhaleTech/CasaOS-UserService/route/v1",
            "symbols": [
                "PostUserLogin"
            ]
        }
    ]
}