GHSA-r6mm-wmhf-849m – typo3/flow

Package

Manager: composer
Name: typo3/flow
Vulnerable Version: >=2.3.0 <2.3.16 || >=3.0.0 <3.0.10 || >=3.1.0 <3.1.7 || >=3.2.0 <3.2.7 || >=3.3.0 <3.3.5

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:U/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Time-Based Information Disclosure Vulnerability in Flow The PersistedUsernamePasswordProvider was prone to a information disclosure of account existance based on timing attacks as the hashing of passwords was only done in case an account was found. We changed the core so that the provider always does a password comparison in case credentials were submitted at all.

Metadata

Created: 2024-06-05T17:28:47Z
Modified: 2024-06-05T17:28:47Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-r6mm-wmhf-849m/GHSA-r6mm-wmhf-849m.json
CWE IDs: []
Alternative ID: N/A
Finding: F026
Auto approve: 1