Vulnerability Report: GO-2024-2668
- CVE-2024-28232, GHSA-hcw2-2r9c-gc6p
- Affects: github.com/IceWhaleTech/CasaOS-UserService
- Published: Apr 02, 2024
- Modified: May 20, 2024
The Casa OS Login page has a username enumeration vulnerability in the login page that was patched in Casa OS v0.4.7. The issue exists because the application response differs depending on whether the username or password is incorrect, allowing an attacker to enumerate usernames by observing the application response. For example, if the username is incorrect, the application returns "User does not exist" with return code "10006", while if the password is incorrect, it returns "User does not exist or password is invalid" with return code "10013". This allows an attacker to determine if a username exists without knowing the password.
Affected Packages
-
PathGo VersionsSymbols
-
before v0.4.8
Aliases
References
- https://github.com/IceWhaleTech/CasaOS-UserService/commit/dd927fe1c805e53790f73cfe10c7a4ded3bc5bdb
- https://vuln.go.dev/ID/GO-2024-2668.json
Credits
- DrDark1999
Feedback
See anything missing or incorrect?
Suggest an edit to this report.