CVE-2024-24770: vantage6 vulnerable to a username timing attack on recover password/MFA token
Impact
Much like https://github.com/vantage6/vantage6/security/advisories/GHSA-45gq-q4xh-cp53, it is possible to find which usernames exist in vantage6 by calling the API routes /recover/lost
and /2fa/lost
, which send emails to users if they have lost their password or MFA token. Usernames can be found by assessing response time differences, and additionally, they can be found because the endpoint gives a response “Failed to login” if the username exists.
Patches
No
Workarounds
No
References
- github.com/advisories/GHSA-5h3x-6gwf-73jm
- github.com/vantage6/vantage6
- github.com/vantage6/vantage6/commit/aecfd6d0e83165a41a60ebd52d2287b0217be26b
- github.com/vantage6/vantage6/security/advisories/GHSA-45gq-q4xh-cp53
- github.com/vantage6/vantage6/security/advisories/GHSA-5h3x-6gwf-73jm
- nvd.nist.gov/vuln/detail/CVE-2024-24770
Detect and mitigate CVE-2024-24770 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →