Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWdtcmYtOTlndy12dndq
/user/sessions endpoint allows detecting valid accounts
This Security Advisory is about a vulnerability in eZ Platform v1.13, v2.5, and v3.2, and in Ibexa DXP and Ibexa Open Source v3.3. The /user/sessions endpoint can let an attacker detect if a given username or email refers to a valid account. This can be detected through differences in the response data or response time of certain requests. The fix ensures neither attack is possible. The fix is distributed via Composer.
If you come across a security issue in our products, here is how you can report it to us: https://doc.ibexa.co/en/latest/guide/reporting_issues/#toc
Permalink: https://github.com/advisories/GHSA-gmrf-99gw-vvwjJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWdtcmYtOTlndy12dndq
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 3 years ago
Updated: over 1 year ago
Identifiers: GHSA-gmrf-99gw-vvwj
References:
- https://github.com/ezsystems/ezpublish-kernel/security/advisories/GHSA-gmrf-99gw-vvwj
- https://github.com/ezsystems/ezpublish-kernel/commit/b496f073c3f03707d3531a6941dc098b84e3cbed
- https://packagist.org/packages/ezsystems/ezpublish-kernel
- https://github.com/advisories/GHSA-gmrf-99gw-vvwj
Blast Radius: 0.0
Affected Packages
packagist:ezsystems/ezpublish-kernel
Dependent packages: 229Dependent repositories: 352
Downloads: 562,970 total
Affected Version Ranges: >= 7.5.0, <= 7.5.15.0, >= 6.13.0, <= 6.13.8.0
Fixed in: 7.5.15.1, 6.13.8.1
All affected versions: 6.13.0, 6.13.1, 6.13.2, 6.13.3, 6.13.4, 6.13.5, 6.13.6, 6.13.8, 7.0.0, 7.0.1, 7.0.2, 7.1.0, 7.1.1, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.4.0, 7.4.1, 7.4.2, 7.4.3, 7.4.4, 7.5.0, 7.5.1, 7.5.2, 7.5.3, 7.5.4, 7.5.5, 7.5.6, 7.5.7, 7.5.8, 7.5.9, 7.5.10, 7.5.11, 7.5.12, 7.5.13, 7.5.14, 7.5.15, 7.5.16, 7.5.17, 7.5.18, 7.5.19, 7.5.20, 7.5.21, 7.5.22, 7.5.23, 7.5.24, 7.5.25, 7.5.26, 7.5.27, 7.5.28, 7.5.29, 7.5.30, 7.5.31, 2013.4.0, 2013.5.0, 2013.6.0, 2013.7.0, 2013.7.1, 2013.7.2, 2013.7.3, 2013.9.0, 2013.9.1, 2013.9.2, 2013.11.0, 2013.11.1, 2014.1.0, 2014.1.1, 2014.1.2, 2014.1.3, 2014.1.4, 2014.1.5, 2014.3.1, 2014.3.2, 2014.3.3, 2014.3.4, 2014.5.0, 2014.5.1, 2014.5.2, 2014.7.0, 2014.7.1, 2014.7.2, 2014.7.3, 2014.11.0, 2014.11.1, 2014.11.2, 2014.11.3, 2014.11.4, 2014.11.5, 2014.11.6, 2014.11.7, 2014.11.8
All unaffected versions: 5.0.0, 5.2.0, 6.0.0, 6.0.1, 6.1.0, 6.1.1, 6.2.0, 6.2.1, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.4.0, 6.4.1, 6.4.2, 6.5.0, 6.5.1, 6.5.2, 6.6.0, 6.6.1, 6.6.2, 6.7.0, 6.7.1, 6.7.2, 6.7.3, 6.7.4, 6.7.5, 6.7.6, 6.7.7, 6.7.8, 6.7.9, 6.7.10, 6.8.0, 6.8.1, 6.9.0, 6.9.1, 6.10.0, 6.10.1, 6.11.0, 6.11.1, 6.11.2, 6.11.3, 6.11.4, 6.12.0, 6.12.1