CVE-2019-16394 — Observable Discrepancy in Spip

CWE-203 — Observable Discrepancy CWE-200 — Sensitive Information Exposure6 documents5 sources

Severity

5.3MEDIUMNVD

OSV6.1

EPSS

56.7%

top 1.86%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Spip Debian Spip Canonical Ubuntu Linux +1 more

Timeline

PublishedSep 17

Latest updateMay 24

Description

SPIP before 3.1.11 and 3.2 before 3.2.5 provides different error messages from the password-reminder page depending on whether an e-mail address exists, which might help attackers to enumerate subscribers.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages4 packages

▶NVDspip/spip3.2.0 — 3.2.5+1

▶debiandebian/spip< spip 3.2.5-1 (bullseye)

▶Debianspip/spip< 3.2.5-1+2

▶Ubuntuspip/spip< 3.1.4-4~deb9u3build0.18.04.1

Also affects: Debian Linux 10.0, 8.0, 9.0, Ubuntu Linux 18.04

Patches

Patch: blog.spip.net ↗Patch: core.spip.net ↗Patch: zone.spip.net ↗

🔴Vulnerability Details

GHSA

GHSA-r5w4-9849-g226: SPIP before 3↗2022-05-24

▶

OSV

spip vulnerabilities↗2020-09-24

▶

OSV

CVE-2019-16394: SPIP before 3↗2019-09-17

▶

📋Vendor Advisories

Ubuntu

SPIP vulnerabilities↗2020-09-24

▶

Debian

CVE-2019-16394: spip - SPIP before 3.1.11 and 3.2 before 3.2.5 provides different error messages from t...↗2019

▶