GMS-2023-491: vantage6 vulnerable to Observable Response Discrepancy

March 1, 2023 (updated March 9, 2023)

Impact

We are incorporating the password policies listed in https://github.com/vantage6/vantage6/issues/59. One measure is that we don’t let the user know in case of wrong username/password combination if the username actually exists, to prevent that bots can guess usernames. However, if a wrong password is entered a number of times, the user account is blocked temporarily. This way you could still find out which usernames exist.

Patches

Update to 3.8.0+

Workarounds

References

https://github.com/vantage6/vantage6/issues/59

For more information

If you have any questions or comments about this advisory:

Email us at vantage6@iknl.nl

References

github.com/advisories/GHSA-36gx-9q6h-g429
github.com/vantage6/vantage6/commit/ab4381c35d24add06f75d5a8a284321f7a340bd2
github.com/vantage6/vantage6/issues/59
github.com/vantage6/vantage6/pull/281
github.com/vantage6/vantage6/security/advisories/GHSA-36gx-9q6h-g429

Detect and mitigate GMS-2023-491 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →