Dependency-Track is a Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Performing a login request against the /api/v1/user/login endpoint with a username that exist in the system takes significantly longer than performing the same action with a username that is not known by the system. The observable difference in request duration can be leveraged by actors to enumerate valid names of managed users. LDAP and OpenID Connect users are not affected. The issue has been fixed in Dependency-Track 4.12.2.
History

Wed, 04 Dec 2024 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Dependencytrack
Dependencytrack dependency-track
CPEs cpe:2.3:a:dependencytrack:dependency-track:*:*:*:*:*:*:*:*
Vendors & Products Dependencytrack
Dependencytrack dependency-track
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 04 Dec 2024 15:45:00 +0000

Type Values Removed Values Added
Description Dependency-Track is a Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Performing a login request against the /api/v1/user/login endpoint with a username that exist in the system takes significantly longer than performing the same action with a username that is not known by the system. The observable difference in request duration can be leveraged by actors to enumerate valid names of managed users. LDAP and OpenID Connect users are not affected. The issue has been fixed in Dependency-Track 4.12.2.
Title Dependency-Track allows enumeration of managed users via /api/v1/user/login endpoint
Weaknesses CWE-203
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-12-04T15:33:04.796Z

Updated: 2024-12-04T21:39:50.554Z

Reserved: 2024-11-25T23:14:36.384Z

Link: CVE-2024-54002

cve-icon Vulnrichment

Updated: 2024-12-04T19:18:17.555Z

cve-icon NVD

Status : Received

Published: 2024-12-04T16:15:26.537

Modified: 2024-12-04T16:15:26.537

Link: CVE-2024-54002

cve-icon Redhat

No data.