Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS00NWdxLXE0eGgtY3A1M84AA48y
vantage6 vulnerable to username timing attack
Impact
It is possible to find out usernames from the response time of login requests. This could aid attackers in credential attacks
Workarounds
No
Permalink: https://github.com/advisories/GHSA-45gq-q4xh-cp53JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00NWdxLXE0eGgtY3A1M84AA48y
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: 3 months ago
Updated: 3 months ago
CVSS Score: 3.7
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Identifiers: GHSA-45gq-q4xh-cp53, CVE-2024-21671
References:
- https://github.com/vantage6/vantage6/security/advisories/GHSA-45gq-q4xh-cp53
- https://nvd.nist.gov/vuln/detail/CVE-2024-21671
- https://github.com/vantage6/vantage6/commit/389f416c445da4f2438c72f34c3b1084485c4e30
- https://github.com/pypa/advisory-database/tree/main/vulns/vantage6/PYSEC-2024-31.yaml
- https://github.com/advisories/GHSA-45gq-q4xh-cp53
Blast Radius: 0.0
Affected Packages
pypi:vantage6-server
Dependent packages: 0Dependent repositories: 1
Downloads: 1,621 last month
Affected Version Ranges: < 4.2.0
Fixed in: 4.2.0
All affected versions: 0.0.0, 1.0.0, 1.0.1, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 2.0.0, 2.1.0, 2.1.1, 2.1.2, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.7, 2.2.8, 2.2.9, 2.2.10, 2.2.11, 2.2.12, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.1.0, 3.2.0, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.7, 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.5.0, 3.5.1, 3.5.2, 3.6.0, 3.6.1, 3.7.0, 3.7.1, 3.7.2, 3.7.3, 3.8.0, 3.8.1, 3.8.2, 3.8.3, 3.8.4, 3.8.5, 3.8.6, 3.8.7, 3.8.8, 3.9.0, 3.10.0, 3.10.1, 3.10.3, 3.10.4, 3.11.0, 3.11.1, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.1.0, 4.1.1, 4.1.2, 4.1.3
All unaffected versions: 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.3.0, 4.3.1, 4.3.2, 4.3.4