Vulnerability Report: GO-2024-2615

CVE-2024-24766, GHSA-c967-2652-gfjm
Affects: github.com/IceWhaleTech/CasaOS-UserService
Published: Mar 14, 2024
Modified: May 20, 2024

CasaOS-UserService is vulnerable to a username enumeration issue, when an attacker can enumerate the CasaOS username using the application response. If the username is incorrect, the application gives the error 'User does not exist'. If the password is incorrect, the application gives the error 'Invalid password'.

For detailed information about this vulnerability, visit https://github.com/IceWhaleTech/CasaOS-UserService/security/advisories/GHSA-c967-2652-gfjm.

Affected Packages

Path

Go Versions

Symbols
github.com/IceWhaleTech/CasaOS-UserService/route/v1

from v0.4.4-3-alpha1 before v0.4.7
- PostUserLogin
- PutUserInfo

Aliases

CVE-2024-24766
GHSA-c967-2652-gfjm

References

https://github.com/IceWhaleTech/CasaOS-UserService/security/advisories/GHSA-c967-2652-gfjm
https://github.com/IceWhaleTech/CasaOS-UserService/commit/c75063d7ca5800948e9c09c0a6efe9809b5d39f7
https://github.com/IceWhaleTech/CasaOS-UserService/releases/tag/v0.4.7
https://vuln.go.dev/ID/GO-2024-2615.json

Credits

DrDark1999

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL