GMS-2023-491: vantage6 vulnerable to Observable Response Discrepancy
(updated )
Impact
We are incorporating the password policies listed in https://github.com/vantage6/vantage6/issues/59. One measure is that we don’t let the user know in case of wrong username/password combination if the username actually exists, to prevent that bots can guess usernames. However, if a wrong password is entered a number of times, the user account is blocked temporarily. This way you could still find out which usernames exist.
Patches
Update to 3.8.0+
Workarounds
No
References
https://github.com/vantage6/vantage6/issues/59
For more information
If you have any questions or comments about this advisory:
- Email us at vantage6@iknl.nl
References
Detect and mitigate GMS-2023-491 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →