logo

Database

User enumeration

Description

The system provides different responses for existent and non-existent users, allowing an attacker to enumerate valid users via error messages, response times, frames count, among other techniques.

Impact

Obtain valid application usernames.

Recommendation

Set the same server response for existent and non-existent users.

Threat

Anonymous attacker from the Internet.

Expected Remediation Time

⏱️ 15 minutes.

Requirements

225 - Proper authentication responses

Fixes

CsharpElixirGoJavaPhpPythonRubyScalaSwiftTypescript

Score

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

Attack vector

N

Attack complexity

L

Attack requirements

N

Privileges required

N

User interaction

N

Confidentiality (VC)

L

Integrity (VI)

N

Availability (VA)

N

Confidentiality (SC)

N

Integrity (SI)

N

Availability (SA)

N

Threat 4.0

Exploit maturity

X

Vector string

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N