CVE-2021-46876: User account enumeration in eZ Publish Ibexa Kernel

March 12, 2023 (updated March 5, 2025)

This Security Advisory is about a vulnerability in eZ Platform v1.13, v2.5, and v3.2, and in Ibexa DXP and Ibexa Open Source v3.3. The /user/sessions endpoint can let an attacker detect if a given username or email refers to a valid account. This can be detected through differences in the response data or response time of certain requests. The fix ensures neither attack is possible. The fix is distributed via Composer.

References

github.com/advisories/GHSA-89p3-9j8c-fqh4
github.com/ezsystems/ezpublish-kernel
github.com/ezsystems/ezpublish-kernel/commit/b496f073c3f03707d3531a6941dc098b84e3cbed
github.com/ezsystems/ezpublish-kernel/security/advisories/GHSA-gmrf-99gw-vvwj
nvd.nist.gov/vuln/detail/CVE-2021-46876

Code Behaviors & Features

Detect and mitigate CVE-2021-46876 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →