CVE-2024-54002

4 Dic 2024

Título es

CVE-2024-54002

Mié, 04/12/2024 – 16:15

Tipo

CWE-203

Gravedad 2.0 Txt

Pendiente de análisis

Título en

CVE-2024-54002

Descripción en

Dependency-Track is a Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Performing a login request against the /api/v1/user/login endpoint with a username that exist in the system takes significantly longer than performing the same action with a username that is not known by the system. The observable difference in request duration can be leveraged by actors to enumerate valid names of managed users. LDAP and OpenID Connect users are not affected. The issue has been fixed in Dependency-Track 4.12.2.

04/12/2024

Vector CVSS:3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Gravedad 3.1 (CVSS 3.1 Base Score)

5.30

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)

MEDIUM

Referencias

https://github.com/DependencyTrack/dependency-track/security/advisories/GHSA-9w3m-hm36-w32w

Enviar en el boletín

Off

CVE-2024-54002

CVE-2024-54002

Jose Alexis Correa Valencia