CVE-2024-24766 — Observable Response Discrepancy in Icewhaletech Casaos-userservice

CWE-204 — Observable Response Discrepancy CWE-203 — Observable Discrepancy6 documents3 sources

Severity

7.5HIGHNVD

EPSS

0.5%

top 35.54%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Icewhaletech Casaos-userservice Icewhale Casaos-userservice Icewhaletech Casaos-userservice

Timeline

PublishedMar 6

Latest updateApr 1

Description

CasaOS-UserService provides user management functionalities to CasaOS. Starting in version 0.4.4.3 and prior to version 0.4.7, the Casa OS Login page disclosed the username enumeration vulnerability in the login page. An attacker can enumerate the CasaOS username using the application response. If the username is incorrect application gives the error `**User does not exist**`. If the password is incorrect application gives the error `**Invalid password**`. Version 0.4.7 fixes this issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶Gogithub.com/icewhaletech_casaos-userservice0.4.7 — 0.4.8+2

▶NVDicewhale/casaos-userservice0.4.4-3 — 0.4.7

▶CVEListV5icewhaletech/casaos-userservice= 0.4.7

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CasaOS Username Enumeration - Bypass of CVE-2024-24766↗2024-04-01

▶

GHSA

CasaOS Username Enumeration - Bypass of CVE-2024-24766↗2024-04-01

▶

OSV

Username enumeration in github.com/IceWhaleTech/CasaOS-UserService↗2024-03-14

▶

OSV

CasaOS Username Enumeration↗2024-03-06

▶

GHSA

CasaOS Username Enumeration↗2024-03-06

▶