CVE-2024-45052: Timing-Based Username Enumeration Vulnerability in Fides Webserver Authentication

September 4, 2024

A timing-based username enumeration vulnerability has been identified in Fides Webserver authentication. This vulnerability allows an unauthenticated attacker to determine the existence of valid usernames by analyzing the time it takes for the server to respond to login requests. The discrepancy in response times between valid and invalid usernames can be leveraged to enumerate users on the system.

References

github.com/advisories/GHSA-2h46-8gf5-fmxv
github.com/ethyca/fides
github.com/ethyca/fides/security/advisories/GHSA-2h46-8gf5-fmxv
nvd.nist.gov/vuln/detail/CVE-2024-45052

Detect and mitigate CVE-2024-45052 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →