GMS-2023-491: vantage6 vulnerable to Observable Response Discrepancy
(updated )
We are incorporating the password policies listed in https://github.com/vantage6/vantage6/issues/59. One measure is that we don’t let the user know in case of wrong username/password combination if the username actually exists, to prevent that bots can guess usernames. However, if a wrong password is entered a number of times, the user account is blocked temporarily. This way you could still find out which usernames exist.
References
- github.com/advisories/GHSA-36gx-9q6h-g429
- github.com/pypa/advisory-database/tree/main/vulns/vantage6/PYSEC-2023-313.yaml
- github.com/pypa/advisory-database/tree/main/vulns/vantage6/PYSEC-2023-52.yaml
- github.com/vantage6/vantage6/commit/ab4381c35d24add06f75d5a8a284321f7a340bd2
- github.com/vantage6/vantage6/issues/59
- github.com/vantage6/vantage6/pull/281
- github.com/vantage6/vantage6/security/advisories/GHSA-36gx-9q6h-g429
- nvd.nist.gov/vuln/detail/CVE-2022-39228
Code Behaviors & Features
Detect and mitigate GMS-2023-491 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →