vantage6 vulnerable to username timing attack · CVE-2024-21671 · GitHub Advisory Database · GitHub

vantage6 vulnerable to username timing attack

Low severity GitHub Reviewed Published Jan 30, 2024 in vantage6/vantage6 • Updated Feb 8, 2024

Package

vantage6-server (pip)

Affected versions

< 4.2.0

Patched versions

4.2.0

Description

Impact

It is possible to find out usernames from the response time of login requests. This could aid attackers in credential attacks

Workarounds

No

References

bartvanb published to vantage6/vantage6

Jan 30, 2024

Published by the National Vulnerability Database

Jan 30, 2024

Published to the GitHub Advisory Database Jan 30, 2024

Reviewed Jan 30, 2024

Last updated Feb 8, 2024

Severity

Low

3.7

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

High

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N