GHSA-2frx-j9hj-6c65 – lexik/jwt-authentication-bundle

Package

Manager: composer
Name: lexik/jwt-authentication-bundle
Vulnerable Version: >=0 <2.10.7 || >=2.11.0 <2.11.3

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

User enumeration in authentication mechanisms Description ----------- The ability to enumerate users was possible without relevant permissions due to different exception messages depending on whether the user existed or not. Resolution ---------- We now ensure that a generic message is returned whether the user exists or not if the password is invalid or if the user does not exist. The patch for this issue is available [here](https://github.com/lexik/LexikJWTAuthenticationBundle/commit/a175d6dab968d93e96a3e4f80c495435f71d5eb7) for branch 2.10.x and 2.x. Credits ------- I would like to thank James Isaac and Mathias Brodala for reporting the issue and Robin Chalas for fixing the issue.

Metadata

Created: 2021-05-17T20:52:21Z
Modified: 2021-10-08T21:21:39Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-2frx-j9hj-6c65/GHSA-2frx-j9hj-6c65.json
CWE IDs: ["CWE-200"]
Alternative ID: N/A
Finding: F310
Auto approve: 1