CVE-2024-28232 — Observable Response Discrepancy in Icewhaletech Casaos-userservice

CWE-204 — Observable Response Discrepancy4 documents3 sources

Severity

7.5HIGHNVD

EPSS

0.3%

top 43.06%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Icewhaletech Casaos-userservice Icewhale Casaos-userservice

Timeline

PublishedApr 1

Latest updateApr 2

Description

Go package IceWhaleTech/CasaOS-UserService provides user management functionalities to CasaOS. The Casa OS Login page has disclosed the username enumeration vulnerability in the login page which was patched in version 0.4.7. This issue in CVE-2024-28232 has been patched in version 0.4.8 but that version has not yet been uploaded to Go's package manager.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶Gogithub.com/icewhaletech_casaos-userservice0.4.7 — 0.4.8+1

▶NVDicewhale/casaos-userservice0.4.7

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

▶

OSV

CasaOS Username Enumeration - Bypass of CVE-2024-24766↗2024-04-01

▶

GHSA

CasaOS Username Enumeration - Bypass of CVE-2024-24766↗2024-04-01

▶