GMS-2023-491: vantage6 vulnerable to Observable Response Discrepancy

March 1, 2023 (updated March 9, 2023)

Impact

We are incorporating the password policies listed in https://github.com/vantage6/vantage6/issues/59. One measure is that we don’t let the user know in case of wrong username/password combination if the username actually exists, to prevent that bots can guess usernames. However, if a wrong password is entered a number of times, the user account is blocked temporarily. This way you could still find out which usernames exist.

Patches

Update to 3.8.0+

Workarounds

References

https://github.com/vantage6/vantage6/issues/59

For more information

If you have any questions or comments about this advisory:

Email us at vantage6@iknl.nl

References

Code Behaviors & Features

Detect and mitigate GMS-2023-491 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →