Dependency-Track is a Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Performing a login request against the /api/v1/user/login endpoint with a username that exist in the system takes significantly longer than performing the same action with a username that is not known by the system. The observable difference in request duration can be leveraged by actors to enumerate valid names of managed users. LDAP and OpenID Connect users are not affected. The issue has been fixed in Dependency-Track 4.12.2.
Metrics
Affected Vendors & Products
References
History
Wed, 04 Dec 2024 22:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Dependencytrack
Dependencytrack dependency-track |
|
CPEs | cpe:2.3:a:dependencytrack:dependency-track:*:*:*:*:*:*:*:* | |
Vendors & Products |
Dependencytrack
Dependencytrack dependency-track |
|
Metrics |
ssvc
|
Wed, 04 Dec 2024 15:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | Dependency-Track is a Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Performing a login request against the /api/v1/user/login endpoint with a username that exist in the system takes significantly longer than performing the same action with a username that is not known by the system. The observable difference in request duration can be leveraged by actors to enumerate valid names of managed users. LDAP and OpenID Connect users are not affected. The issue has been fixed in Dependency-Track 4.12.2. | |
Title | Dependency-Track allows enumeration of managed users via /api/v1/user/login endpoint | |
Weaknesses | CWE-203 | |
References |
| |
Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: GitHub_M
Published: 2024-12-04T15:33:04.796Z
Updated: 2024-12-04T21:39:50.554Z
Reserved: 2024-11-25T23:14:36.384Z
Link: CVE-2024-54002
Vulnrichment
Updated: 2024-12-04T19:18:17.555Z
NVD
Status : Received
Published: 2024-12-04T16:15:26.537
Modified: 2024-12-04T16:15:26.537
Link: CVE-2024-54002
Redhat
No data.