Skip to content

Observable Response Discrepancy in vantage6

Low
frankcorneliusmartin published GHSA-36gx-9q6h-g429 Feb 28, 2023

Package

pip vantage6 (pip)

Affected versions

< 3.3.3

Patched versions

3.8.0

Description

Impact

We are incorporating the password policies listed in #59. One measure is that we don't let the user know in case of wrong username/password combination if the username actually exists, to prevent that bots can guess usernames. However, if a wrong password is entered a number of times, the user account is blocked temporarily. This way you could still find out which usernames exist.

Patches

Update to 3.8.0+

Workarounds

No

References

#59

For more information

If you have any questions or comments about this advisory:

Severity

Low

CVE ID

CVE-2022-39228

Weaknesses